Disable SSL cert validation


(John Twill) #1

How can I disable SSL cert checking? I don’t care about the risks (man in the middle, etc.) Sometimes I just want to go forward without the hassle of mucking with keystores. In maven I can set -Dmaven.wagon.http.ssl.insecure=true and -Dmaven.wagon.http.ssl.allowall=true. I found a plugin called trust-all but it doesn’t work. Any help would be greatly appreciated.

Thanks,
John


(Dimitar Dimitrov) #2

Same as maven, except that just passing -D only impacts the gradle process, but not the forked daemon workers. This is how you are supposed to do it:

From https://docs.gradle.org/current/userguide/build_environment.html#sec:gradle_properties_and_system_properties

You can also set system properties in the gradle.properties file. If a property name in such a file has the prefix “systemProp.”, like “systemProp.propName”, then the property and its value will be set as a system property, without the prefix. In a multi project build, “systemProp.” properties set in any project except the root will be ignored. That is, only the root project’s gradle.properties file will be checked for properties that begin with the “systemProp.” prefix.


(John Twill) #3

So gradle will read and obey the maven.wagon.http.ssl properties? I tried setting them in my grade.properties file but it had no effect. Are there equivalent properties for gradle?


(Dimitar Dimitrov) #4

Nope actually, apologies - didn’t read carefully and assumed your problem is with sys props not being propagated.

Gradle uses HTTP Client for HTTP downloads, you may check whether it offers any sys props to trust any server cert. Alternatively you may use the standard JSSE system props to provide a custom trust store for your server certificate.


(John Twill) #5

I can get things to work if I mess with the the trust store. I’m
explicitly looking for a solution that allows me to bypass that like I can
do with maven. There are not any properties that allow setting a custom
trust manager on the http client. So I think the only option would be to
modify grade itself. It looks like the DefaultSslContextFactory in the
resource-http subproject would be the right place? Do you have any other
suggestions?


(Dimitar Dimitrov) #6

Sorry, can’t think of anything. I am also not sure it is a good feature to have (though I can see how it can be convenient).


(John Twill) #7

Well you are probably right, it’s not a safe thing to do most of the time.
I’m in a maven vs. gradle battle with a coworker, and it was just one of
those rare things maven can do that cradle can’t. Anyway, thanks for your
time and replies on this.


(Dimitar Dimitrov) #8

It is an interesting reversal of roles - typically Maven won’t let you do things for principle’s sake and Gradle would give you enough rope to shoot your self in the foot.


(Daryl) #9

Being stuck behind a corporate firewall that ‘man in the middle’s all of the traffic, it would be nice if I could just disable SSL verification…


(Dimitar Dimitrov) #10

Not sure if it is of any help, but typically in such cases, companies would add the root CA certificate to the Java trust store - either using a script or by repackaging the JRE/JDK for internal usage. See if you can get the root cert and add it yourself?


(Daryl) #11

In my case, I’m standing up a Linux VM on a windows desktop, and need to do all of the legwork myself to add the certs in. Its doable, but almost everything else let’s me just disable TLS, and that works fine for my use case (which is mostly just figuring out the list of dependencies that resolve so I know what to request through our corporate policies for being ing software in)


(Jan Igerud) #12

Hi,

I found sort of a workaround, I work behind a SSL proxy so was struggling with the same issue, here is my solution:

  1. Added the certificate for the SSL proxy in the system default keystore (you can create your own keystore if you want)
    sudo keytool -storepass changeit -keystore /etc/ssl/certs/java/cacerts -importcert -alias my-root-CA -file ~/Downloads/my-root-ca.cer

  2. Used the default keystore when running Gradle (Gradle will cache dependencies so you might not need to include it everytime).
    ./gradlew tasks -Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts -Djavax.net.ssl.keyStore=/etc/ssl/certs/java/cacerts -Djavax.net.ssl.trustStorePassword=changeit -Djavax.net.ssl.keyStorePassword=changeit --no-daemon