maven sonar runner - ignore ssl certificate
2,444 views
Skip to first unread message
rot...@crux.org.pl
Feb 5, 2016, 7:25:10 AM2/5/16
to SonarQube
Hi,
I have a sonar test instance with invalid ssl certificate (the CN points to another domain), how can I ignore the certificate when running sonar analysis via maven? I was looking through https://github.com/square/okhttp and can't find any way to ignore the cert, also javax.net.ssl properties doesn't allow for cert to be accepted. Before you tell me that I should fix the certificate: it is just a test instance that I'm going to shut down after I'm finished with it, the production one is going to have proper cert installed.
I have a sonar test instance with invalid ssl certificate (the CN points to another domain), how can I ignore the certificate when running sonar analysis via maven? I was looking through https://github.com/square/okhttp and can't find any way to ignore the cert, also javax.net.ssl properties doesn't allow for cert to be accepted. Before you tell me that I should fix the certificate: it is just a test instance that I'm going to shut down after I'm finished with it, the production one is going to have proper cert installed.
nicolas...@sonarsource.com
Feb 5, 2016, 11:31:59 AM2/5/16
to SonarQube, rot...@crux.org.pl
Hi,
Working with test certificates is one thing (totally feasible), however working with invalid certificates is another (much worst) thing that you should avoid at all cost. Hostname verification is hardcoded in libraries/protocols themselves, there's no alternative because any such workaround would be a security hole.
If you are on a test instance, you should generate yourself some self-signed certificates. You'll have to tell Java to trust them, but at least they will be valid from a security standpoint.
Best regards,
Nicolas
Reply all
Reply to author
Forward
0 new messages