(ping) Ping server should not validate certificates

(crawler) Crawler should validate certificates
2025-10-06 07:32:38 +02:00 · 2025-06-16 00:08:30 +02:00 · 2025-06-16 00:06:57 +02:00
2 changed files with 40 additions and 38 deletions
--- a/code/processes/crawling-process/java/nu/marginalia/crawl/fetcher/HttpFetcherImpl.java
+++ b/code/processes/crawling-process/java/nu/marginalia/crawl/fetcher/HttpFetcherImpl.java
@@ -36,7 +36,6 @@ import org.apache.hc.core5.http.io.support.ClassicRequestBuilder;
 import org.apache.hc.core5.http.message.MessageSupport;
 import org.apache.hc.core5.http.protocol.HttpContext;
 import org.apache.hc.core5.pool.PoolStats;
 import org.apache.hc.core5.ssl.SSLContextBuilder;
 import org.apache.hc.core5.util.TimeValue;
 import org.apache.hc.core5.util.Timeout;
 import org.jsoup.Jsoup;
@@ -49,15 +48,12 @@ import org.slf4j.MarkerFactory;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLException;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509TrustManager;
 import java.io.IOException;
 import java.net.SocketTimeoutException;
 import java.net.URISyntaxException;
 import java.net.UnknownHostException;
 import java.security.KeyManagementException;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.X509Certificate;
 import java.time.Duration;
 import java.time.Instant;
 import java.util.*;
@@ -99,42 +95,12 @@ public class HttpFetcherImpl implements HttpFetcher, HttpRequestRetryStrategy {
                .setValidateAfterInactivity(TimeValue.ofSeconds(5))
                .build();
        // No-op up front validation of server certificates.
        //
        // We will validate certificates later, after the connection is established
        // as we want to store the certificate chain and validation
        // outcome to the database.
        var trustMeBro = new X509TrustManager() {
            private X509Certificate[] lastServerCertChain;
            @Override
            public void checkClientTrusted(X509Certificate[] chain, String authType) {
            }
            @Override
            public void checkServerTrusted(X509Certificate[] chain, String authType) {
                this.lastServerCertChain = chain.clone();
            }
            @Override
            public X509Certificate[] getAcceptedIssuers() {
                return new X509Certificate[0];
            }
            public X509Certificate[] getLastServerCertChain() {
                return lastServerCertChain != null ? lastServerCertChain.clone() : null;
            }
        };
        SSLContext sslContext = SSLContextBuilder.create().build();
        sslContext.init(null, new TrustManager[]{trustMeBro}, null);
        connectionManager = PoolingHttpClientConnectionManagerBuilder.create()
                .setMaxConnPerRoute(2)
                .setMaxConnTotal(5000)
                .setDefaultConnectionConfig(connectionConfig)
-                .setTlsSocketStrategy(new DefaultClientTlsStrategy(sslContext))
+                .setTlsSocketStrategy(new DefaultClientTlsStrategy(SSLContext.getDefault()))
                .build();
        connectionManager.setDefaultSocketConfig(SocketConfig.custom()
--- a/code/processes/ping-process/java/nu/marginalia/ping/io/HttpClientProvider.java
+++ b/code/processes/ping-process/java/nu/marginalia/ping/io/HttpClientProvider.java
@@ -18,13 +18,18 @@ import org.apache.hc.core5.http.HttpResponse;
 import org.apache.hc.core5.http.io.SocketConfig;
 import org.apache.hc.core5.http.message.MessageSupport;
 import org.apache.hc.core5.http.protocol.HttpContext;
 import org.apache.hc.core5.ssl.SSLContextBuilder;
 import org.apache.hc.core5.util.TimeValue;
 import org.apache.hc.core5.util.Timeout;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509TrustManager;
 import java.security.KeyManagementException;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.X509Certificate;
 import java.util.Iterator;
 import java.util.concurrent.TimeUnit;
@@ -37,24 +42,55 @@ public class HttpClientProvider implements Provider<HttpClient> {
    static {
        try {
            client = createClient();
-        } catch (NoSuchAlgorithmException e) {
+        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }
-    private static CloseableHttpClient createClient() throws NoSuchAlgorithmException {
+    private static CloseableHttpClient createClient() throws NoSuchAlgorithmException, KeyManagementException {
        final ConnectionConfig connectionConfig = ConnectionConfig.custom()
                .setSocketTimeout(15, TimeUnit.SECONDS)
                .setConnectTimeout(15, TimeUnit.SECONDS)
                .setValidateAfterInactivity(TimeValue.ofSeconds(5))
                .build();
        // No-op up front validation of server certificates.
        //
        // We will validate certificates later, after the connection is established
        // as we want to store the certificate chain and validation
        // outcome to the database.
        var trustMeBro = new X509TrustManager() {
            private X509Certificate[] lastServerCertChain;
            @Override
            public void checkClientTrusted(X509Certificate[] chain, String authType) {
            }
            @Override
            public void checkServerTrusted(X509Certificate[] chain, String authType) {
                this.lastServerCertChain = chain.clone();
            }
            @Override
            public X509Certificate[] getAcceptedIssuers() {
                return new X509Certificate[0];
            }
            public X509Certificate[] getLastServerCertChain() {
                return lastServerCertChain != null ? lastServerCertChain.clone() : null;
            }
        };
        SSLContext sslContext = SSLContextBuilder.create().build();
        sslContext.init(null, new TrustManager[]{trustMeBro}, null);
        connectionManager = PoolingHttpClientConnectionManagerBuilder.create()
                .setMaxConnPerRoute(2)
                .setMaxConnTotal(50)
                .setDefaultConnectionConfig(connectionConfig)
                .setTlsSocketStrategy(
-                        new DefaultClientTlsStrategy(SSLContext.getDefault(), NoopHostnameVerifier.INSTANCE))
+                        new DefaultClientTlsStrategy(sslContext, NoopHostnameVerifier.INSTANCE))
                .build();
        connectionManager.setDefaultSocketConfig(SocketConfig.custom()
Author	SHA1	Message	Date
Viktor Lofgren	d556f8ae3a	(ping) Ping server should not validate certificates	2025-06-16 00:08:30 +02:00
Viktor Lofgren	e37559837b	(crawler) Crawler should validate certificates	2025-06-16 00:06:57 +02:00