Turn SSL verification off for JGit clone command

Question

I am trying to a clone of a Git Repository via the CloneCommand. With this piece of code

`Git.cloneRepo         


        

Answer 1

With version 4.9, JGit will handle SSL verification more gracefully. If the SSL handshake was unsuccessful, JGit will ask the CredentialsProvider whether SSL verification should be skipped or not.

In this process, the CredentialsProvider is given an InformationalMessage describing the issue textually and up to three YesNoType CredentialItems to decide whether to skip SSL verification for this operation, for the current repository, and/or always.

It seems that the change was made with an interactive UI in mind and it might be hard to answer these 'credential requests' programmatically.

The commit message of this change describes the behavior in more detail.

For earlier versions of JGit, or if the CredentialsProvider model does not fit your needs, there are two workarounds described below.

---

To work around this limitation, you can execute the specific clone steps manually as suggested in the comments below:

• init a repository using the InitCommand
• set ssl verify to false

    StoredConfig config = git.getRepository().getConfig();
    config.setBoolean( "http", null, "sslVerify", false );
    config.save();

• fetch (see FetchCommand)
• checkout (see CheckoutCommand)

---

Another way to work around the issue is to provide an HttpConnectionFactory that returns HttpConnections with dummy host name and certificate verifiers. For example:

class InsecureHttpConnectionFactory implements HttpConnectionFactory {

  @Override
  public HttpConnection create( URL url ) throws IOException {
    return create( url, null );
  }

  @Override
  public HttpConnection create( URL url, Proxy proxy ) throws IOException {
    HttpConnection connection = new JDKHttpConnectionFactory().create( url, proxy );
    HttpSupport.disableSslVerify( connection );
    return connection;
  }
}

HttpConnection is in package org.eclipse.jgit.transport.http and is a JGit abstraction for HTTP connections. While the example uses the default implementation (backed by JDK http code), you are free to use your own implementation or the one provided by the org.eclipse.jgit.transport.http.apache package that uses Apache http components.

The currently used connection factory can be changed with HttpTransport::setConnectionFactory():

HttpConnectionFactory preservedConnectionFactory = HttpTransport.getConnectionFactory();
HttpTransport.setConnectionFactory( new InsecureHttpConnectionFactory() );
// clone repository
HttpTransport.setConnectionFactory( preservedConnectionFactory );

Unfortunately, the connection factory is a singleton so that this trick needs extra work (e.g. a thread local variable to control if sslVerify is on or off) when JGit commands are executed concurrently.

Answer 2

Another workaround is to create a .gitconfig file in the home of the current user before calling Git.cloneRepository():

File file = new File(System.getProperty("user.home")+"/.gitconfig");
if(!file.exists()) {
    PrintWriter writer = new PrintWriter(file);
    writer.println("[http]");
    writer.println("sslverify = false");
    writer.close();
}

This will make JGit skip SSL certificate verification.

Answer 3

I have inferred from all answers above for the snippet below;

private void disableSSLVerify(URI gitServer) throws Exception {
    if (gitServer.getScheme().equals("https")) {
        FileBasedConfig config = SystemReader.getInstance().openUserConfig(null, FS.DETECTED);
        synchronized (config) {
            config.load();
            config.setBoolean(
                "http",
                "https://" + gitServer.getHost() + ':' + (gitServer.getPort() == -1 ? 443 : gitServer.getPort()),
                "sslVerify", false);
            config.save();
        }
    }
}

This option is safer because it allows sslVerify to false for the gitServer alone.

Please take a look at this link which shares other options.