This is an automated email from the ASF dual-hosted git repository.
cstamas pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/maven-resolver.git
The following commit(s) were added to refs/heads/master by this push:
new 3927899b [MRESOLVER-579] Fix overwrite of SSLParameters in JDK HTTP
transport when securityMode is "insecure" (#529)
3927899b is described below
commit 3927899b2c76fa7850559490cd6458e1ac0f601d
Author: Paul Scholz <scholzi_p...@me.com>
AuthorDate: Tue Jul 9 11:43:51 2024 +0200
[MRESOLVER-579] Fix overwrite of SSLParameters in JDK HTTP transport when
securityMode is "insecure" (#529)
I have been experimenting with Maven 4.0.0-beta-4, specifically testing its
HTTP/2 support. During my tests, I used a self-signed certificate for the
testing repository and disabled TLS validation. This approach produced
unexpected behavior. While TLS certificate validation was indeed disabled as
expected, it also caused the ALPN extension to be omitted from the Client Hello
message.
To further investigate, I added the self-signed certificate to the JDK's
cacerts keystore and removed the insecure option. With this configuration, ALPN
support was restored, and HTTP/2 worked correctly again. This behavior can lead
to problems if the server prioritizes HTTP/2 or does not support HTTP/1.1.
This change addresses an issue where SSLParameters were being overwritten
(introduced in 08f102a4579a911afff8a8301cb1a708c3bc26af), causing the loss of
multiple TLS extensions, including ALPN and SNI. Setting the
`aether.transport.https.securityMode=insecure` property disables TLS validation
but also inadvertently disabled ALPN and SNI.
Now, SSLParameters are derived from SSLContext defaults to ensure proper
handling of these extensions, even when TLS validation is disabled in JDK HTTP
transport.
---
https://issues.apache.org/jira/browse/MRESOLVER-579
---
.../src/main/java/org/eclipse/aether/transport/jdk/JdkTransporter.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
a/maven-resolver-transport-jdk-parent/maven-resolver-transport-jdk-11/src/main/java/org/eclipse/aether/transport/jdk/JdkTransporter.java
b/maven-resolver-transport-jdk-parent/maven-resolver-transport-jdk-11/src/main/java/org/eclipse/aether/transport/jdk/JdkTransporter.java
index 6287ff6c..780f182d 100644
---
a/maven-resolver-transport-jdk-parent/maven-resolver-transport-jdk-11/src/main/java/org/eclipse/aether/transport/jdk/JdkTransporter.java
+++
b/maven-resolver-transport-jdk-parent/maven-resolver-transport-jdk-11/src/main/java/org/eclipse/aether/transport/jdk/JdkTransporter.java
@@ -488,7 +488,7 @@ final class JdkTransporter extends AbstractTransporter
implements HttpTransporte
.sslContext(sslContext);
if (insecure) {
- SSLParameters sslParameters = new SSLParameters();
+ SSLParameters sslParameters =
sslContext.getDefaultSSLParameters();
sslParameters.setEndpointIdentificationAlgorithm(null);
builder.sslParameters(sslParameters);
}
