Fix allowInsecure()
on HttpWaitStrategy
for non-localhost Docker daemon
#6314
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We found out that
HttpWaitStrategyTest.testWaitUntilReadyWithTlsAndAllowUnsecure()
will fail withjava.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found
when used with a Docker daemon that makes containers accessible on127.0.0.1
rather than onlocalhost
.This seems to be due to our implementation of
allowInsecure
inHttpWaitStrategy
, where we used aX509TrustManager
, that only performs part of the certifacte validation.This PR changes this implementation to now use a
X509ExtendedTrustManager
, to ignore this check accordingly. We don't consider this a security issue, since this is for the explicit use case, where a user wants theHttpWaitStrategy
to ignore insecure SSL certificates.