allow connection to TLS servers that don't get their own domain name right webid
authorHenry Story <henry.story@bblfish.net>
Wed, 11 Apr 2012 14:56:25 +0200
branchwebid
changeset 197 c6520ef80d5c
parent 196 3053b87b4ff2
child 198 014d92d1bb13
allow connection to TLS servers that don't get their own domain name right
src/main/scala/GraphCache.scala
src/main/scala/ReadWriteWebMain.scala
--- a/src/main/scala/GraphCache.scala	Wed Apr 11 12:00:41 2012 +0200
+++ b/src/main/scala/GraphCache.scala	Wed Apr 11 14:56:25 2012 +0200
@@ -72,21 +72,26 @@
     client.getParams.setParameter(CoreConnectionPNames.SO_TIMEOUT, 15000)
   }
 
-  lazy val sslClientSecure = Option(System.getProperty("rww.clientTLSsecurity")).map{
-    case "secure" => true
-    case _ => false
-  }.getOrElse(false)
+  Option(System.getProperty("rww.clientTLSsecurity")).map {
+    case "noCA" => {
+      val sf = new SSLSocketFactory(new TrustStrategy {
+        def isTrusted(chain: Array[X509Certificate], authType: String) = true
+      });
+      insecure(sf)
+    }
+    case "noDomain" => {
+      val sf = new SSLSocketFactory(new TrustStrategy {
+        def isTrusted(chain: Array[X509Certificate], authType: String) = true
+      }, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
+      insecure(sf);
+    }
+    case "secure" => Unit
+  }
 
 
-  if (!sslClientSecure) try {
-    val sf = new SSLSocketFactory(new TrustStrategy {
-      def isTrusted(chain: Array[X509Certificate], authType: String) = true
-    });
-    val scheme = new Scheme("https", 443, sf);
-    http.client.getConnectionManager().getSchemeRegistry().register(scheme);
-  } catch {
-    case e: NoSuchAlgorithmException => logger.error("missing alogrithm ",e)
-    case other => logger.error("cought an error setting client",other); throw other;
+  def insecure(sf: SSLSocketFactory): Unit = {
+    val scheme = new Scheme("https", 443, sf)
+    http.client.getConnectionManager().getSchemeRegistry().register(scheme)
   }
 
   def basePath = null //should be cache dir?
--- a/src/main/scala/ReadWriteWebMain.scala	Wed Apr 11 12:00:41 2012 +0200
+++ b/src/main/scala/ReadWriteWebMain.scala	Wed Apr 11 14:56:25 2012 +0200
@@ -35,9 +35,10 @@
   |  --http  start server as plain http server
   |  --https start server as in secured mode using https (TLS)
   |  --language [turtle, rdfxml] save RDF in one of the given formats on disk
-  |  --clientTLS [secure, insecure] client connections abide by CA verification
+  |  --clientTLS [secure, noCA, noDomain] client connections abide by CA verification
   |   * secure : if server certificate is not signed by well known CA don't accept
-  |   * insecure: if the server certificate is not signed by well known CA ignore and continue
+  |   * noCA: if the server certificate is not signed by well known CA ignore and continue
+  |   * noDomain: for test situations where the server certificate does not even name the machine it is on correctly
   |   * [todo: add more flexible server certificate verification mechanisms]
   |
   |NOTES
@@ -71,10 +72,14 @@
   val clientTLSsecurity = parser.option[Boolean](List("clientTLS"),"c","client TLS connection security level") {
     (sValue, opt) =>
       sValue match {
-        case "insecure" => {
+        case "noCA" => {
           //todo: work with system property as a hack for the moment, as passing around conexts is going to require
           //      a lot of rewriting
-          System.setProperty("rww.clientTLSsecurity","insecure")
+          System.setProperty("rww.clientTLSsecurity","noCA")
+          false
+        }
+        case "noDomain" => {
+          System.setProperty("rww.clientTLSsecurity","noDomain")
           false
         }
         case _ => {