Re: [jgit-dev] GitServlet, http.sslVerify=false, and hostnames

[james.moger@xxxxxxxxxxx]

Now I see.
TransportHttp is setting a dummy TrustManager, but not a dummy
HostnameVerifier.

Bummer.

Would the team consider either:
1. adding a new config setting (http.hostnameVerify=false) and a
corresponding dummy hostname verifier
2. automatically setting a dummy hostname verifier if
http.sslVerify=false? (maybe too dangerous?)

Or would either of those require negotiation with the native Git team?


Something like....

TransportHttp.disableSslVerifyUrl(URLConnection conn, boolean
verifyHostnames) {
...
final HttpsURLConnection sslConn = (HttpsURLConnection) conn;
sslConn.setSSLSocketFactory(ctx.getSocketFactory());
if (!verifyHostnames) {
   sslConn.setHostnameVerifier(new DummyHostnameVerifier());
}
...
}

private static class DummyHostnameVerifier implements HostnameVerifier {
   @Override
   public boolean verify(String hostname, SSLSession session) {
	return true;
   }
}

-J