Option to ignore SSL Certificate Errors
Opened this issue · 8 comments
In some cases, such as when using self-signed certificates, it may be helpful to be able to ignore cert errors.
Jenkins' GitLab plugin has such an option, for example, and I think it uses the same Java library:
When connecting with such a self-signed cert right now, I simply get:
Invalid TLS Certificate: You can disable certificate checking by setting ignoreCertificateErrors on GitlabHTTPRequestor
No need to use a self signed cert. There's plenty of certificate authority management scripts in the wild that one could create their own CA to secure GitLab. Generally, insecure SSL only provides confidentiality but no checking of identity. i.e. anyone could man in the middle you and you wouldn't know.
I'm not saying it shouldn't be an option. But I personally avoid in general running insecure services (disabling identity checking is insecure).
I had the same problem although we had a valid signed server certificate. Maybe it has something to do with proxy settings, eg. the gitlab api can not check against authorities, because it has no knowledge about our proxy. Our gitlab is internal.
I had a look in the source and find it easier to ignore the certificate errors. Ok, it is less secure, but if its in internal network, I don't see an issue.
I created a pull request ( Settings for ignore certificate errors #24 ) .
Best Regards, Dirk
This is something that is definitely necessary for internal instances of GitLab. As it stands, I have been unable to use https for this connector since we self sign all of our certificates, and it appears that the connector doesn't work at all over http.
Also, I have a handy set of scripts of which you can use to create a certificate authority and manage certificates.
I plan to simplify those scripts further so that they work on OS X. Right now they only work on Linux. It's mainly because of the differences in BSD and GNU getopt.
I found a way to use a self-signed certificate. You must create a keystor.jks with your organization-gitlab cert and add in the eclipse.ini the javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword parameters.
See:
http://help.eclipse.org/luna/index.jsp?topic=%2Forg.eclipse.mylyn.help.ui%2FMylyn%2FFAQ%2FTask-Repositories.html
my eclipse.ini:
-startup
plugins/org.eclipse.equinox.launcher_1.3.201.v20161025-1711.jar
--launcher.library
plugins/org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.401.v20161122-1740
-product
org.eclipse.epp.package.jee.product
--launcher.defaultAction
openFile
-showsplash
org.eclipse.platform
--launcher.defaultAction
openFile
--launcher.appendVmargs
-vm
C:/Tools/jdk1.8.0_121/bin/javaw.exe
-vmargs
-Djavax.net.ssl.trustStorePassword=123456
-Djavax.net.ssl.trustStore=C:/Tools/eclipse-jee-neon-2-win32-x86_64/keystore.jks
-Dosgi.requiredJavaVersion=1.8
-XX:+UseG1GC
-XX:+UseStringDeduplication
-Dosgi.requiredJavaVersion=1.8
-Xms256m
-Xmx1024m
Is this still necessary regarding the development with lets encrypt?
Yes, because the server is not always available from outside the company LAN, which is a requirement of Let's encrypt.
The solution provided by @jorge-mikitiuk is a nogo, because the newly created keystore does not contains all needed certs for other usages: You cannot install any package from market place.
Is there a way to IGNORE the certificate somewhere ? Maybe this option could be configurable from the mylyn-gitlab preferences ?
Thanks !