Maven Changes Plugin
  1. Maven Changes Plugin
  2. MCHANGES-175

Allow accessing JIRA instances that use untrusted certificates

    Details

    • Type: New Feature New Feature
    • Status: Closed Closed
    • Priority: Critical Critical
    • Resolution: Incomplete
    • Affects Version/s: 2.1
    • Fix Version/s: None
    • Component/s: jira
    • Labels:
      None
    • Number of attachments :
      1

      Description

      We have an intranet Jira setup with https to have integration with LDAP. The certificate used is an internal one not issued by any CA.

      While accessing this repository jira-report throws below Exception:
      -------------------------------
      javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
      at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
      at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
      at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:847)
      at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
      at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
      at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:619)
      at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
      at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
      at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
      at org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:827)
      at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:1975)
      at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:993)
      at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:397)
      at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
      at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
      at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
      at org.apache.maven.plugin.jira.JiraHelper.getPidFromJira(JiraHelper.java:55)
      at org.apache.maven.plugin.jira.AbstractJiraDownloader.doExecute(AbstractJiraDownloader.java:363)
      at org.apache.maven.plugin.jira.JiraMojo.executeReport(JiraMojo.java:245)
      ------------------------------------

        Issue Links

          Activity

          Hide
          Krishna Pothula added a comment -

          And the root cause is...

          Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
          at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236)
          at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194)
          at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)

          Show
          Krishna Pothula added a comment - And the root cause is... Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:236) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:194) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:216)
          Hide
          Benjamin Bentmann added a comment -

          That doesn't look like an issue in the plugin itself but usually means that the server uses a certificate that is not part of your JDK's trust store. See the keytool help for details on how to import either the certificate of the server or the certificates of the issuers of the server certificate.

          Show
          Benjamin Bentmann added a comment - That doesn't look like an issue in the plugin itself but usually means that the server uses a certificate that is not part of your JDK's trust store. See the keytool help for details on how to import either the certificate of the server or the certificates of the issuers of the server certificate.
          Hide
          Krishna Pothula added a comment -

          Thank you for the quick response.

          I can add that cert to my local trust store but we have Hudson where we actually do the builds and site documentation generation. Most of the users dont have permissions to do that on CI server. I have been trying to use the jira-report from quite sometime and I could not because of this error.

          I currently found a solution and am testing it by building changes-plugin locally. It seems to work fine.

          Solution is to use a Custom SocketFactory with HttpClient.
          http://hc.apache.org/httpclient-3.x/sslguide.html

          I am planning to submit a patch for this bug by tomorrow.

          Show
          Krishna Pothula added a comment - Thank you for the quick response. I can add that cert to my local trust store but we have Hudson where we actually do the builds and site documentation generation. Most of the users dont have permissions to do that on CI server. I have been trying to use the jira-report from quite sometime and I could not because of this error. I currently found a solution and am testing it by building changes-plugin locally. It seems to work fine. Solution is to use a Custom SocketFactory with HttpClient. http://hc.apache.org/httpclient-3.x/sslguide.html I am planning to submit a patch for this bug by tomorrow.
          Hide
          Krishna Pothula added a comment -

          Attached is the Patch that'll fix the bug.

          In this patch a new plugin property is introduced "acceptUntrustedCert". If this property is set to true then this plugin will work with self-signed or untrusted SSL certificates.

          I sincerely hope this will be added to the 2.2 version of this plugin.

          Show
          Krishna Pothula added a comment - Attached is the Patch that'll fix the bug. In this patch a new plugin property is introduced "acceptUntrustedCert". If this property is set to true then this plugin will work with self-signed or untrusted SSL certificates. I sincerely hope this will be added to the 2.2 version of this plugin.
          Hide
          Florian Brunner added a comment -

          There is a similar issue with trac-report. Please make it work for this goal as well.

          Maybe a SSL trust-store configuration would be useful as well.

          Show
          Florian Brunner added a comment - There is a similar issue with trac-report. Please make it work for this goal as well. Maybe a SSL trust-store configuration would be useful as well.
          Hide
          Dennis Lundberg added a comment -

          Lowering priority on this issue as there are work-arounds available. Either add the cert to the JDK trust store or get a cert that can be validated by the JDK's available root certs.

          Show
          Dennis Lundberg added a comment - Lowering priority on this issue as there are work-arounds available. Either add the cert to the JDK trust store or get a cert that can be validated by the JDK's available root certs.
          Hide
          Benson Margulies added a comment -

          Unfortunately, this patch has gone stale due to intervening changes.

          Could you possibly update it?

          Show
          Benson Margulies added a comment - Unfortunately, this patch has gone stale due to intervening changes. Could you possibly update it?
          Hide
          Benson Margulies added a comment -

          No response in over six months, problem with workaround, closing.

          Show
          Benson Margulies added a comment - No response in over six months, problem with workaround, closing.

            People

            • Assignee:
              Benson Margulies
              Reporter:
              Krishna Pothula
            • Votes:
              2 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: