(ping) Limit SSL certificate validity dates to a maximum timestamp as permitted by database

(ping) Handle null case for Subject Alternative Names in SSL certificates
(ping) Ping server should not validate certificates
2025-10-06 07:32:38 +02:00 · 2025-06-16 00:32:03 +02:00 · 2025-06-16 00:27:37 +02:00 · 2025-06-16 00:08:30 +02:00 · 2025-06-16 00:06:57 +02:00
4 changed files with 54 additions and 43 deletions
--- a/code/processes/crawling-process/java/nu/marginalia/crawl/fetcher/HttpFetcherImpl.java
+++ b/code/processes/crawling-process/java/nu/marginalia/crawl/fetcher/HttpFetcherImpl.java
@@ -36,7 +36,6 @@ import org.apache.hc.core5.http.io.support.ClassicRequestBuilder;
 import org.apache.hc.core5.http.message.MessageSupport;
 import org.apache.hc.core5.http.protocol.HttpContext;
 import org.apache.hc.core5.pool.PoolStats;
-import org.apache.hc.core5.ssl.SSLContextBuilder;
 import org.apache.hc.core5.util.TimeValue;
 import org.apache.hc.core5.util.Timeout;
 import org.jsoup.Jsoup;
@@ -49,15 +48,12 @@ import org.slf4j.MarkerFactory;

 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLException;
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.X509TrustManager;
 import java.io.IOException;
 import java.net.SocketTimeoutException;
 import java.net.URISyntaxException;
 import java.net.UnknownHostException;
 import java.security.KeyManagementException;
 import java.security.NoSuchAlgorithmException;
-import java.security.cert.X509Certificate;
 import java.time.Duration;
 import java.time.Instant;
 import java.util.*;
@@ -99,42 +95,12 @@ public class HttpFetcherImpl implements HttpFetcher, HttpRequestRetryStrategy {
                .setValidateAfterInactivity(TimeValue.ofSeconds(5))
                .build();

-        // No-op up front validation of server certificates.
-        //
-        // We will validate certificates later, after the connection is established
-        // as we want to store the certificate chain and validation
-        // outcome to the database.
-
-        var trustMeBro = new X509TrustManager() {
-            private X509Certificate[] lastServerCertChain;
-
-            @Override
-            public void checkClientTrusted(X509Certificate[] chain, String authType) {
-            }
-
-            @Override
-            public void checkServerTrusted(X509Certificate[] chain, String authType) {
-                this.lastServerCertChain = chain.clone();
-            }
-
-            @Override
-            public X509Certificate[] getAcceptedIssuers() {
-                return new X509Certificate[0];
-            }
-
-            public X509Certificate[] getLastServerCertChain() {
-                return lastServerCertChain != null ? lastServerCertChain.clone() : null;
-            }
-        };
-
-        SSLContext sslContext = SSLContextBuilder.create().build();
-        sslContext.init(null, new TrustManager[]{trustMeBro}, null);

        connectionManager = PoolingHttpClientConnectionManagerBuilder.create()
                .setMaxConnPerRoute(2)
                .setMaxConnTotal(5000)
                .setDefaultConnectionConfig(connectionConfig)
-                .setTlsSocketStrategy(new DefaultClientTlsStrategy(sslContext))
+                .setTlsSocketStrategy(new DefaultClientTlsStrategy(SSLContext.getDefault()))
                .build();

        connectionManager.setDefaultSocketConfig(SocketConfig.custom()
--- a/code/processes/ping-process/java/nu/marginalia/ping/io/HttpClientProvider.java
+++ b/code/processes/ping-process/java/nu/marginalia/ping/io/HttpClientProvider.java
@@ -18,13 +18,18 @@ import org.apache.hc.core5.http.HttpResponse;
 import org.apache.hc.core5.http.io.SocketConfig;
 import org.apache.hc.core5.http.message.MessageSupport;
 import org.apache.hc.core5.http.protocol.HttpContext;
+import org.apache.hc.core5.ssl.SSLContextBuilder;
 import org.apache.hc.core5.util.TimeValue;
 import org.apache.hc.core5.util.Timeout;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+import java.security.KeyManagementException;
 import java.security.NoSuchAlgorithmException;
+import java.security.cert.X509Certificate;
 import java.util.Iterator;
 import java.util.concurrent.TimeUnit;

@@ -37,24 +42,55 @@ public class HttpClientProvider implements Provider<HttpClient> {
    static {
        try {
            client = createClient();
-        } catch (NoSuchAlgorithmException e) {
+        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

-    private static CloseableHttpClient createClient() throws NoSuchAlgorithmException {
+    private static CloseableHttpClient createClient() throws NoSuchAlgorithmException, KeyManagementException {
        final ConnectionConfig connectionConfig = ConnectionConfig.custom()
                .setSocketTimeout(15, TimeUnit.SECONDS)
                .setConnectTimeout(15, TimeUnit.SECONDS)
                .setValidateAfterInactivity(TimeValue.ofSeconds(5))
                .build();

+        // No-op up front validation of server certificates.
+        //
+        // We will validate certificates later, after the connection is established
+        // as we want to store the certificate chain and validation
+        // outcome to the database.
+
+        var trustMeBro = new X509TrustManager() {
+            private X509Certificate[] lastServerCertChain;
+
+            @Override
+            public void checkClientTrusted(X509Certificate[] chain, String authType) {
+            }
+
+            @Override
+            public void checkServerTrusted(X509Certificate[] chain, String authType) {
+                this.lastServerCertChain = chain.clone();
+            }
+
+            @Override
+            public X509Certificate[] getAcceptedIssuers() {
+                return new X509Certificate[0];
+            }
+
+            public X509Certificate[] getLastServerCertChain() {
+                return lastServerCertChain != null ? lastServerCertChain.clone() : null;
+            }
+        };
+
+        SSLContext sslContext = SSLContextBuilder.create().build();
+        sslContext.init(null, new TrustManager[]{trustMeBro}, null);
+
        connectionManager = PoolingHttpClientConnectionManagerBuilder.create()
                .setMaxConnPerRoute(2)
                .setMaxConnTotal(50)
                .setDefaultConnectionConfig(connectionConfig)
                .setTlsSocketStrategy(
-                        new DefaultClientTlsStrategy(SSLContext.getDefault(), NoopHostnameVerifier.INSTANCE))
+                        new DefaultClientTlsStrategy(sslContext, NoopHostnameVerifier.INSTANCE))
                .build();

        connectionManager.setDefaultSocketConfig(SocketConfig.custom()
--- a/code/processes/ping-process/java/nu/marginalia/ping/model/DomainSecurityRecord.java
+++ b/code/processes/ping-process/java/nu/marginalia/ping/model/DomainSecurityRecord.java
@@ -332,6 +332,8 @@ public record DomainSecurityRecord(
        private String headerXPoweredBy;
        private Instant tsLastUpdate;

+        private static Instant MAX_UNIX_TIMESTAMP = Instant.ofEpochSecond(Integer.MAX_VALUE);
+
        public Builder() {
            // Default values for boolean fields
            this.sslCertWildcard = false;
@@ -375,11 +377,17 @@ public record DomainSecurityRecord(
        }

        public Builder sslCertNotBefore(Instant sslCertNotBefore) {
+            if (sslCertNotBefore.isAfter(MAX_UNIX_TIMESTAMP)) {
+                sslCertNotBefore = MAX_UNIX_TIMESTAMP;
+            }
            this.sslCertNotBefore = sslCertNotBefore;
            return this;
        }

        public Builder sslCertNotAfter(Instant sslCertNotAfter) {
+            if (sslCertNotAfter.isAfter(MAX_UNIX_TIMESTAMP)) {
+                sslCertNotAfter = MAX_UNIX_TIMESTAMP;
+            }
            this.sslCertNotAfter = sslCertNotAfter;
            return this;
        }
--- a/code/processes/ping-process/java/nu/marginalia/ping/svc/DomainSecurityInformationFactory.java
+++ b/code/processes/ping-process/java/nu/marginalia/ping/svc/DomainSecurityInformationFactory.java
@@ -14,9 +14,7 @@ import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.X509Certificate;
 import java.time.Instant;
-import java.util.HashSet;
-import java.util.Set;
-import java.util.StringJoiner;
+import java.util.*;

 public class DomainSecurityInformationFactory {
    private static final Logger logger = LoggerFactory.getLogger(DomainSecurityInformationFactory.class);
@@ -69,8 +67,11 @@ public class DomainSecurityInformationFactory {
        boolean isWildcard = false;
        try {
            if (sslCertificates != null && sslCertificates.length > 0) {
-                for (var sanEntry : sslCertificates[0].getSubjectAlternativeNames()) {
-
+                Collection<List<?>> sans = sslCertificates[0].getSubjectAlternativeNames();
+                if (sans == null) {
+                    sans = Collections.emptyList();
+                }
+                for (var sanEntry : sans) {

                    if (sanEntry != null && sanEntry.size() >= 2) {
                        // Check if the SAN entry is a DNS or IP address
Author	SHA1	Message	Date
Viktor Lofgren	0275bad281	(ping) Limit SSL certificate validity dates to a maximum timestamp as permitted by database	2025-06-16 00:32:03 +02:00
Viktor Lofgren	fd83a9d0b8	(ping) Handle null case for Subject Alternative Names in SSL certificates	2025-06-16 00:27:37 +02:00
Viktor Lofgren	d556f8ae3a	(ping) Ping server should not validate certificates	2025-06-16 00:08:30 +02:00
Viktor Lofgren	e37559837b	(crawler) Crawler should validate certificates	2025-06-16 00:06:57 +02:00