[SonarLint for Eclipse] SSL properties override properties set in Eclipse

2,253 views
Skip to first unread message

Jeffrey Bell

unread,
Jun 16, 2016, 9:12:19 AM6/16/16
to SonarLint
After installing SonarLint 2.0.1 in Eclipse, I get certificate/truststore errors (Caused by: javax.net.ssl.
SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
) when attempting to use Eclipse's "Check for Updates" or "Install New Software..." features.

Details:

  1. We have an internal plugin that installs our local truststore that also sets up authentication via certificate. Attempts to "Check for Updates" failed with the PKIX error for every internal update site.

  2. I explicitly set the truststore in eclipse by updating the "-vmargs" in eclipse.ini (-Djavax.net.ssl.trustStore and -Djavax.net.ssl.trustStorePassword). The PKIX exception no longer appears, but attempts to "Check for Updates" caused a dialog box to appear asking for a username and password.

  3. SonarLint works as expected.

  4. Uninstalling SonarLint allows Eclipse to get updates and install new software.

A previous post for IntelliJ authentication (https://groups.google.com/d/msg/sonarlint/sgfro8ZseXs/aVD7S3yRAwAJ) suggested that the problem was similiar to SLI-75 in that SonarLint is using its own authentication settings (some of which appear to be global) instead of the platform's settings.



Julien HENRY

unread,
Jun 17, 2016, 4:20:36 AM6/17/16
to SonarLint
Hi Jeffrey,

It is a bit hard for us to investigate without precisely knowing what your custom plugin is doing.

SonarLint uses its own internal okhttp library to do HTTP requests.

Could you please answer the following questions to better understand the issue:
  - do you have the issue right after installing SonarLint, or only after starting to use connected mode (ie configure a server / bind a project)?
  - what is the JDK you are using? We have a special hack to enable TLS 1.2 on Java 7, maybe it is causing issues? Please try to run Eclipse with JDK 8 if it is not already the case.

++

Julien

Jeffrey Bell

unread,
Jun 17, 2016, 7:55:25 AM6/17/16
to SonarLint
Julien,

Thank you for your help. Answers to your question are below:

  1. After connected mode is enabled. I removed the SonarQube Server reference and no longer had any issues with Checking for Updates or using the Install New Software wizard to search for new plugins.

  2. I'm using Eclipse 4.5.2 with Java 1.8.0_60.

I will see if I can get some more details on exactly how the plugin works. For now the best I can give you is that it is intended to allow the user to change the Java trust store and set a user certificate for authentication. We would like to eventually be able to use that certificate authentication to connect to the SonarQube server.


Thank you for your time, my coworkers and I really enjoy the plugin.

Jeffrey Bell

unread,
Jun 17, 2016, 12:34:50 PM6/17/16
to SonarLint
It looks as if our Eclipse authentication plugin is doing the following:
  • Setting the System properties for the truststore through System.setProperty("javax.net.ssl.TrustStore", "blah") and similar.
  • May override the the default authenticator through java.net.Authenticator.setDefault().

Is SonarLint doing similar things in Connected mode?

Julien HENRY

unread,
Jun 20, 2016, 5:59:50 AM6/20/16
to SonarLint
Hi Jeffrey,

As I said SonarLint rely on okhttp. And I found that in sources:

On our side we are doing:

I'm not very comfortable with all that SSL stuff so I will ask my colleagues. But as far as I understand there is no silver bullet. Either we use our own private SSLContextFactory and we don't mess Eclipse. But it also means that any SSL settings you pass to Eclipse will not be "seen" by SonarLint. Or we reuse the same as Eclipse (I think that's the case here) but okhttp will mess it up:

If we used the shared SSL context, when OkHttp enables ALPN for its SPDY-related stuff, it would also enable ALPN for other usages, which might crash them because ALPN is enabled when it isn't expected to be.

Jeffrey Bell

unread,
Jun 21, 2016, 10:41:33 AM6/21/16
to SonarLint
Julien,

I've got some more information that may be helpful. I did the following:
  1. Starting with the plugin installed, no bound projects, and no servers. Closed Eclipse.
  2. Opened Eclipse and Checked for Updates - Success
  3. Connected to a SonarQube Server (with token) and Checked for Updates - Succes
  4. Restarted Eclipse and Checked for Updates - Fail with PKIX path exception

Looking at it again, it doesn't seem like SonarLint is ignoring the system properties. If it was, I would have expected it to fail the SSL connection because the default Java truststore does not have the right certificates. Those certificate's are provided by the internal plugin. Instead, Eclipse itself seems to "forget" the truststore information. It also only does this after a restart of Eclipse and not simply on connecting/defining a SonarQube server.

Julien HENRY

unread,
Jun 27, 2016, 3:43:19 AM6/27/16
to SonarLint
Hi Jeffrey,

I have created a ticket to follow progress on this topic, but currently I have no idea.

++

Julien

Jeffrey Bell

unread,
Jun 28, 2016, 9:00:01 AM6/28/16
to SonarLint
Hi Julien,

Thank you for entering the ticket! I'll start watching it.

- Jeff
Reply all
Reply to author
Forward
0 new messages