improve ssl certificate handling

- enable HttpClientBuilder#useSystemProperties() for better integration with IntelliJ certificate manager
- remove manual setup of PoolingHttpClientConnectionManager (better handled by HttpClientBuilder)
- add support for certificates that are signed by an untrusted authority and are not self signed - thanks to Jordan Armstrong for the hint

Related to issue #55

src/main/java/com/urswolfer/intellij/plugin/gerrit/rest/GerritApiUtil.java

@@ -43,7 +43,6 @@
 import org.apache.http.impl.client.BasicCredentialsProvider;
 import org.apache.http.impl.client.HttpClientBuilder;
 import org.apache.http.impl.client.HttpClients;
-import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
 import org.apache.http.protocol.BasicHttpContext;
 import org.apache.http.protocol.HttpContext;
 import org.apache.http.util.EntityUtils;
@@ -255,8 +254,7 @@ private HttpClientBuilder getHttpClient(GerritAuthData authData,
                                             HttpContext httpContext) {
         HttpClientBuilder client = HttpClients.custom();
 
-        PoolingHttpClientConnectionManager connectionManager = new PoolingHttpClientConnectionManager();
-        client.setConnectionManager(connectionManager);
+        client.useSystemProperties(); // see also: com.intellij.util.net.ssl.CertificateManager
 
         RequestConfig.Builder requestConfig = RequestConfig.custom()
             .setConnectTimeout(CONNECTION_TIMEOUT_MS) // how long it takes to connect to remote host

src/main/java/com/urswolfer/intellij/plugin/gerrit/rest/SslSupport.java

@@ -37,8 +37,11 @@
 import org.jetbrains.annotations.Nullable;
 import sun.security.validator.ValidatorException;
 
+import javax.net.ssl.SSLException;
 import java.io.IOException;
 import java.net.URISyntaxException;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
 import java.util.List;
 
 /**
@@ -93,7 +96,12 @@ private HttpResponse handleCertificateExceptionAndRetry(IOException e,
             // creating a special configuration that allows connections to non-trusted HTTPS hosts
             try {
                 SSLContextBuilder sslContextBuilder = new SSLContextBuilder();
-                sslContextBuilder.loadTrustMaterial(null, new TrustSelfSignedStrategy());
+                sslContextBuilder.loadTrustMaterial(null, new TrustSelfSignedStrategy() {
+                    @Override
+                    public boolean isTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+                        return true;
+                    }
+                });
                 SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(
                         sslContextBuilder.build(), SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
 
@@ -117,6 +125,9 @@ public boolean isCertificateException(Exception e) {
             if (throwable instanceof ValidatorException) {
                 return true;
             }
+            if (throwable instanceof SSLException) { // e.g. "SSLException: hostname in certificate didn't match: <localhost> != <unknown>"
+                return true;
+            }
         }
         return false;
     }

src/main/resources/META-INF/plugin.xml

@@ -83,6 +83,8 @@
           <ul>
             <li>fix handling of comma separated user names in push dialog</li>
             <li>improve HTTP proxy handling</li>
+            <li>improve SSL certificate handling (support for IntelliJ 13.1 certificate manager,
+            certificates signed by an untrusted authority)</li>
             <li>minor fixes and improvements</li>
           </ul>
           <li>0.7.0</li>