Merge pull request #5856 from square/jwilson.0307.no_trusts

Allow for users who have disabled certificate checks in dev. (4.4.x branch)
2026-01-14 07:22:20 +03:00 · 2020-03-07 13:58:37 -05:00
parent 44124ba2a3 f5d669cd0f
commit 7ea7c15e6b
4 changed files with 54 additions and 13 deletions
--- a/okhttp/src/main/java/okhttp3/Handshake.kt
+++ b/okhttp/src/main/java/okhttp3/Handshake.kt
@@ -48,8 +48,13 @@ class Handshake internal constructor(
  peerCertificatesFn: () -> List<Certificate>
 ) {
  /** Returns a possibly-empty list of certificates that identify the remote peer. */
-  @get:JvmName("peerCertificates") val peerCertificates: List<Certificate> by lazy(
-      peerCertificatesFn)
+  @get:JvmName("peerCertificates") val peerCertificates: List<Certificate> by lazy {
+    try {
+      peerCertificatesFn()
+    } catch (spue: SSLPeerUnverifiedException) {
+      listOf<Certificate>()
+    }
+  }

  @JvmName("-deprecated_tlsVersion")
  @Deprecated(
@@ -121,11 +126,7 @@ class Handshake internal constructor(
  }

  override fun toString(): String {
-    val peerCertificatesString = try {
-      peerCertificates.map { it.name }.toString()
-    } catch (_: SSLPeerUnverifiedException) {
-      "Failed: SSLPeerUnverifiedException"
-    }
+    val peerCertificatesString = peerCertificates.map { it.name }.toString()
    return "Handshake{" +
        "tlsVersion=$tlsVersion " +
        "cipherSuite=$cipherSuite " +
--- a/okhttp/src/main/java/okhttp3/internal/connection/ExchangeFinder.kt
+++ b/okhttp/src/main/java/okhttp3/internal/connection/ExchangeFinder.kt
@@ -142,9 +142,10 @@ class ExchangeFinder(
    synchronized(connectionPool) {
      if (call.isCanceled()) throw IOException("Canceled")

-      releasedConnection = call.connection
-      toClose = if (call.connection != null &&
-          (call.connection!!.noNewExchanges || !call.connection!!.supportsUrl(address.url))) {
+      val callConnection = call.connection // changes within this overall method
+      releasedConnection = callConnection
+      toClose = if (callConnection != null && (callConnection.noNewExchanges ||
+              !callConnection.supportsUrl(address.url))) {
        call.releaseConnectionNoEvents()
      } else {
        null
--- a/okhttp/src/main/java/okhttp3/internal/connection/RealConnection.kt
+++ b/okhttp/src/main/java/okhttp3/internal/connection/RealConnection.kt
@@ -576,9 +576,14 @@ class RealConnection(
    }

    // We have a host mismatch. But if the certificate matches, we're still good.
-    return !noCoalescedConnections &&
-        handshake != null &&
-        OkHostnameVerifier.verify(url.host, handshake!!.peerCertificates[0] as X509Certificate)
+    return !noCoalescedConnections && handshake != null && certificateSupportHost(url, handshake!!)
+  }
+
+  private fun certificateSupportHost(url: HttpUrl, handshake: Handshake): Boolean {
+    val peerCertificates = handshake.peerCertificates
+
+    return peerCertificates.isNotEmpty() && OkHostnameVerifier.verify(url.host,
+        peerCertificates[0] as X509Certificate)
  }

  @Throws(SocketException::class)
--- a/okhttp/src/test/java/okhttp3/ConnectionCoalescingTest.java
+++ b/okhttp/src/test/java/okhttp3/ConnectionCoalescingTest.java
@@ -19,12 +19,14 @@ import java.io.IOException;
 import java.net.InetAddress;
 import java.net.InetSocketAddress;
 import java.net.Proxy;
+import java.security.cert.X509Certificate;
 import java.util.Collections;
 import java.util.List;
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.atomic.AtomicInteger;
 import java.util.concurrent.atomic.AtomicReference;
 import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.X509TrustManager;
 import okhttp3.mockwebserver.MockResponse;
 import okhttp3.mockwebserver.MockWebServer;
 import okhttp3.testing.PlatformRule;
@@ -432,6 +434,38 @@ public final class ConnectionCoalescingTest {
    assertThat(client.connectionPool().connectionCount()).isEqualTo(2);
  }

+  /**
+   * Won't coalesce if we can't clean certs e.g. a dev setup.
+   */
+  @Test public void redirectWithDevSetup() throws Exception {
+    X509TrustManager TRUST_MANAGER = new X509TrustManager() {
+      @Override
+      public void checkClientTrusted(X509Certificate[] x509Certificates, String s) {
+      }
+
+      @Override
+      public void checkServerTrusted(X509Certificate[] x509Certificates, String s) {
+      }
+
+      @Override
+      public X509Certificate[] getAcceptedIssuers() {
+        return new X509Certificate[0];
+      }
+    };
+
+    client = client.newBuilder().sslSocketFactory(client.sslSocketFactory(), TRUST_MANAGER).build();
+
+    server.enqueue(new MockResponse());
+    server.enqueue(new MockResponse());
+
+    assert200Http2Response(execute(url), server.getHostName());
+
+    HttpUrl sanUrl = url.newBuilder().host("san.com").build();
+    assert200Http2Response(execute(sanUrl), "san.com");
+
+    assertThat(client.connectionPool().connectionCount()).isEqualTo(2);
+  }
+
  private Response execute(HttpUrl url) throws IOException {
    return client.newCall(new Request.Builder().url(url).build()).execute();
  }