Gerrit 2.12.3 setEndpointIdentificationAlgorithm

[john.v...@effnet.com]

After upgrading to 2.12.3 I'm unable receive emails from my gerrit server due to "java.security.cert.CertificateException: No name matching xxx found".

I've tracked it down to the code in AuthSMTPClient.java:

"SSLParameters sslParams = new SSLParameters();

 sslParams.setEndpointIdentificationAlgorithm("HTTPS");

 ((SSLSocket)_socket_).setSSLParameters(sslParams);"

I guess it is probably our email servers setup and I won't be able to change our email servers certificates nor settings.

Does anyone know if there is an easy way to bypass this without modifying the code in gerrit?

(Gerrit is running with TLS and javaOptions set to -Djavax.net.ssl.trustStore=yyy -Djavax.net.ssl.trustStorePassword=zzz)

[Edwin Kempin]

This was a security fix, see [1].

I guess you cannot bypass this without modifying the code.

[1] https://gerrit-review.googlesource.com/75724

 

--
--
To unsubscribe, email repo-discuss+unsubscribe@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[john.v...@effnet.com]

Would it make sense to change sendemail.sslVerify to also bypass this check or to add another configuration to skip the hostname matching?

On Wednesday, August 10, 2016 at 2:02:43 PM UTC+2, Edwin Kempin wrote:

On Wed, Aug 10, 2016 at 1:51 PM, <john.v...@effnet.com> wrote:

After upgrading to 2.12.3 I'm unable receive emails from my gerrit server due to "java.security.cert.CertificateException: No name matching xxx found".

I've tracked it down to the code in AuthSMTPClient.java:

"SSLParameters sslParams = new SSLParameters();

 sslParams.setEndpointIdentificationAlgorithm("HTTPS");

 ((SSLSocket)_socket_).setSSLParameters(sslParams);"

I guess it is probably our email servers setup and I won't be able to change our email servers certificates nor settings.

Does anyone know if there is an easy way to bypass this without modifying the code in gerrit?

(Gerrit is running with TLS and javaOptions set to -Djavax.net.ssl.trustStore=yyy -Djavax.net.ssl.trustStorePassword=zzz)

This was a security fix, see [1].

I guess you cannot bypass this without modifying the code.

[1] https://gerrit-review.googlesource.com/75724

 

--
--
To unsubscribe, email repo-discuss...@googlegroups.com

More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.

[Edwin Kempin]

On Wed, Aug 10, 2016 at 3:31 PM, <john.v...@effnet.com> wrote:

Would it make sense to change sendemail.sslVerify to also bypass this check or to add another configuration to skip the hostname matching?

Sounds okay to me.

 

--
--
To unsubscribe, email repo-discuss+unsubscribe@googlegroups.com

More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+unsubscribe@googlegroups.com.