Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.

Bug 318339

Summary: P2 does not handle self signed certificates
Product: [Eclipse Project] Equinox Reporter: David Carver <d_a_carver>
Component: p2Assignee: P2 Inbox <equinox.p2-inbox>
Status: CLOSED DUPLICATE QA Contact:
Severity: normal    
Priority: P3 CC: david_williams, irbull, kmbulebu, torkildr
Version: 3.6   
Target Milestone: ---   
Hardware: PC   
OS: All   
Whiteboard:

Description David Carver CLA 2010-06-29 11:01:05 EDT 
When using the Install New software feature for eclipse 3.6, and trying to access a P2 repository that is using HTTPs with a Self-Signed certificate, P2 refuses to install any components.

It would be nice to have P2 either Prompt to install the certificate, or have an option on the command line to have P2 automatically install self signed certificates if specified.

In many cases it would be helpful as well if P2 looked in the existing eclipse certificate store to see if that certificate has already been accepted.
Comment 1 Kevin Bulebush CLA 2010-10-28 17:12:13 EDT 
Here's an example, trying to install pydev from the command line.

Command-line arguments:  -os linux -ws gtk -arch x86 -D osgi.support.signature.verify=false -consolelog -application org.eclipse.equinox.p2.director -repository http://pydev.org/updates,http://download.eclipse.org/releases/helios -installiu org.python.pydev.feature.feature.group

!ENTRY org.eclipse.equinox.p2.engine 8 0 2010-10-28 16:59:27.828
!MESSAGE One or more certificates rejected. Cannot proceed with installation.
Comment 2 Ian Bull CLA 2013-04-12 19:33:53 EDT 

*** This bug has been marked as a duplicate of bug 215929 ***
Comment 3 David Williams CLA 2013-04-12 19:45:46 EDT 
These comments are in response to Ian's questions on p2 dev list: 

http://dev.eclipse.org/mhonarc/lists/p2-dev/msg05164.html


I'm moderately sure p2 will check the existing "Java store" (or even system store) for trusted certs, have you tried with recent versions of p2? I ask this, just because of other bugs I vaguely recall where at first that wasn't working right. And fixed in Juno, I believe.  

And, if not that, I think there are "external" parameters that can be used to tell any client which store to use? 

I've never done any of this myself, and its reasonable to ask for an easy way to do it ... like browsers to .... but ... some simple searches appear to show "how to" do it ... rather than disable the function, as Ian asks in his post. 

Such as 
https://access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/ch15s02s02.html

or 

http://blogs.adobe.com/livecycle/2012/04/rights-management-how-to-get-windows-7-to-trust-a-self-signed-server-certificate.html

But, again, not speaking from experience.
Comment 4 Ian Bull CLA 2013-04-12 21:10:31 EDT 
(In reply to comment #3)

> I'm moderately sure p2 will check the existing "Java store" (or even system
> store) for trusted certs, have you tried with recent versions of p2? I ask
> this, just because of other bugs I vaguely recall where at first that wasn't
> working right. And fixed in Juno, I believe.  
> 
> And, if not that, I think there are "external" parameters that can be used
> to tell any client which store to use? 
> 
> I've never done any of this myself, and its reasonable to ask for an easy
> way to do it ... like browsers to .... but ... some simple searches appear
> to show "how to" do it ... rather than disable the function, as Ian asks in
> his post. 
> 
Thank-you David. I think this demonstrates my lack of experience in this area as I assumed that when I 'proceed' to a site with a self signed certificate, I was simply disabling the validation for that site. Yes, importing the self signed certificate into a local store seems like a bunch better approach. The hardest part about searching is knowing what to search for ;-).

I will try this out and if it works, I think I have the next topic for my blog post.

Thanks again.