Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jgit-dev] GitServlet, http.sslVerify=false, and hostnames

Now I see.
TransportHttp is setting a dummy TrustManager, but not a dummy


Would the team consider either:
1. adding a new config setting (http.hostnameVerify=false) and a
corresponding dummy hostname verifier
2. automatically setting a dummy hostname verifier if
http.sslVerify=false? (maybe too dangerous?)

Or would either of those require negotiation with the native Git team?

Something like....

TransportHttp.disableSslVerifyUrl(URLConnection conn, boolean
verifyHostnames) {
final HttpsURLConnection sslConn = (HttpsURLConnection) conn;
if (!verifyHostnames) {
   sslConn.setHostnameVerifier(new DummyHostnameVerifier());

private static class DummyHostnameVerifier implements HostnameVerifier {
   public boolean verify(String hostname, SSLSession session) {
	return true;


Back to the top