From 106d199f8ff5d2e0504a3756df8acdded0759cd0 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Fri, 1 Aug 2025 12:07:07 +0200
Subject: [client] Try to use generic SSL and HTTPS context if connection check
 fails

---
 .../src/main/java/org/openslx/dozmod/App.java      | 16 ++--------
 .../openslx/dozmod/util/FallbackTrustManager.java  | 22 +++++++++----
 .../org/openslx/dozmod/util/ProxyConfigurator.java | 37 ++++++++++++++++++++--
 3 files changed, 52 insertions(+), 23 deletions(-)

(limited to 'dozentenmodul/src/main/java')

diff --git a/dozentenmodul/src/main/java/org/openslx/dozmod/App.java b/dozentenmodul/src/main/java/org/openslx/dozmod/App.java
index f67acaba..a5dc7464 100755
--- a/dozentenmodul/src/main/java/org/openslx/dozmod/App.java
+++ b/dozentenmodul/src/main/java/org/openslx/dozmod/App.java
@@ -15,8 +15,6 @@ import java.util.Set;
 import java.util.concurrent.CountDownLatch;
 import java.util.zip.Deflater;
 
-import javax.net.ssl.HttpsURLConnection;
-import javax.net.ssl.SSLContext;
 import javax.swing.SwingUtilities;
 import javax.swing.UIDefaults;
 import javax.swing.UIManager;
@@ -40,7 +38,6 @@ import org.openslx.dozmod.gui.helper.Language;
 import org.openslx.dozmod.gui.helper.MessageType;
 import org.openslx.dozmod.util.ClientVersion;
 import org.openslx.dozmod.util.FallbackTrustManager;
-import org.openslx.dozmod.util.OsHelper;
 import org.openslx.dozmod.util.ProxyConfigurator;
 import org.openslx.thrifthelper.ThriftManager;
 import org.openslx.util.AppUtil;
@@ -150,17 +147,8 @@ public class App {
 		AppUtil.logHeader(LOGGER, Branding.getApplicationName(), App.class.getPackage().getImplementationVersion());
 		LOGGER.info("Starting logging to " + logFilePath);
 
-		if (OsHelper.isWindows()) {
-			// On Windows 10+, use system store in addition to the Java one
-			LOGGER.info("Installing Fallback X509 truster");
-			try {
-				SSLContext sslContext = FallbackTrustManager.getSSLContext();
-				SSLContext.setDefault(sslContext);
-				HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
-			} catch (Exception e) {
-				LOGGER.warn("Cannot use fallback SSL context with system store", e);
-			}
-		}
+		// On Windows, we use the system's trust store in addition to the Java one
+		FallbackTrustManager.install();
 
 		// Setting the locale
 		if (!setPreferredLanguage()) {
diff --git a/dozentenmodul/src/main/java/org/openslx/dozmod/util/FallbackTrustManager.java b/dozentenmodul/src/main/java/org/openslx/dozmod/util/FallbackTrustManager.java
index 1fbdb88f..8d59e56c 100644
--- a/dozentenmodul/src/main/java/org/openslx/dozmod/util/FallbackTrustManager.java
+++ b/dozentenmodul/src/main/java/org/openslx/dozmod/util/FallbackTrustManager.java
@@ -4,6 +4,7 @@ import java.io.FileInputStream;
 import java.security.KeyStore;
 import java.security.cert.X509Certificate;
 
+import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
@@ -18,9 +19,13 @@ public class FallbackTrustManager {
 	
 	private static SSLContext sslContext = null;
 
-	private static FallbackX509TrustManager delegatingTrustManager;
+	private static FallbackX509TrustManager delegatingTrustManager = null;
 
-	static {
+	public static void install() {
+		if (!OsHelper.isWindows())
+			return;
+		// On Windows, use system store in addition to the Java one
+		LOGGER.info("Installing Fallback X509 truster");
 		try {
 			// --- Load Java default trust store (cacerts) ---
 			String javaHome = System.getProperty("java.home");
@@ -53,17 +58,22 @@ public class FallbackTrustManager {
 					javaTrustManager, windowsTrustManager);
 
 			sslContext = SSLContext.getInstance("TLS");
-			sslContext.init(null, new TrustManager[] { delegatingTrustManager }, null);
+			sslContext.init(null, getTrustManagers(), null);
+			SSLContext.setDefault(sslContext);
+			HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
 		} catch (Exception e) {
+			LOGGER.warn("Cannot use fallback SSL context with system store", e);
 		}
 	}
 	
 	public static TrustManager getTrustManager() {
 		return delegatingTrustManager;
 	}
-
-	public static SSLContext getSSLContext() {
-		return sslContext;
+	
+	public static TrustManager[] getTrustManagers() {
+		if (delegatingTrustManager == null)
+			return null;
+		return new TrustManager[] { delegatingTrustManager };
 	}
 
 	// Extract the first X509TrustManager from the factory
diff --git a/dozentenmodul/src/main/java/org/openslx/dozmod/util/ProxyConfigurator.java b/dozentenmodul/src/main/java/org/openslx/dozmod/util/ProxyConfigurator.java
index a1dc0dbc..b024dae5 100644
--- a/dozentenmodul/src/main/java/org/openslx/dozmod/util/ProxyConfigurator.java
+++ b/dozentenmodul/src/main/java/org/openslx/dozmod/util/ProxyConfigurator.java
@@ -10,7 +10,6 @@ import java.util.List;
 import java.util.concurrent.atomic.AtomicReference;
 
 import javax.net.ssl.SSLContext;
-import javax.net.ssl.TrustManager;
 
 import org.apache.hc.client5.http.classic.methods.HttpGet;
 import org.apache.hc.client5.http.config.ConnectionConfig;
@@ -29,6 +28,9 @@ import org.apache.logging.log4j.Logger;
 import org.openslx.bwlp.thrift.iface.MasterServer;
 import org.openslx.dozmod.App;
 import org.openslx.dozmod.authentication.ShibbolethEcp;
+import org.openslx.dozmod.gui.Gui;
+import org.openslx.dozmod.gui.helper.I18n;
+import org.openslx.dozmod.gui.helper.MessageType;
 import org.openslx.thrifthelper.ThriftManager;
 import org.openslx.util.Util;
 
@@ -81,7 +83,7 @@ public class ProxyConfigurator {
 			} else {
 				thriftCtx = SSLContext.getInstance("TLSv1.2");
 			}
-			thriftCtx.init(null, new TrustManager[] { FallbackTrustManager.getTrustManager() }, null);
+			thriftCtx.init(null, FallbackTrustManager.getTrustManagers(), null);
 		} catch (NoSuchAlgorithmException | KeyManagementException e) {
 			LOGGER.warn("Error creating default SSL context for thrift", e);
 		}
@@ -96,7 +98,7 @@ public class ProxyConfigurator {
 			MasterServer.Client masterClient;
 			try {
 				ctx = SSLContext.getInstance(tls[0].id);
-				ctx.init(null, new TrustManager[] { FallbackTrustManager.getTrustManager() }, null);
+				ctx.init(null, FallbackTrustManager.getTrustManagers(), null);
 				masterClient = ThriftManager.getNewMasterClient(ctx,
 						App.getMasterServerAddress(),
 						App.THRIFT_SSL_PORT, 4000);
@@ -139,6 +141,35 @@ public class ProxyConfigurator {
 	 * Initialization method.
 	 */
 	public static void init() {
+		try {
+			initInternal();
+		} finally {
+			boolean warn = false;
+			if (thriftCtx == null) {
+				try {
+					SSLContext ctx = SSLContext.getDefault();
+					ctx.init(null, FallbackTrustManager.getTrustManagers(), null);
+					thriftCtx = ctx;
+				} catch (Exception e) {
+					Gui.asyncMessageBox(I18n.GUI.getString("ProxyConfigurator.Message.error.couldNotGetSslContext"),
+							MessageType.ERROR, LOGGER, e);
+					System.exit(1);
+				}
+				warn = true;
+			}
+			if (apacheClient.get() == null) {
+				HttpClientBuilder builder = createDefaultBuilder();
+				apacheClient.set(builder.build());
+				warn = true;
+			}
+			if (warn) {
+				Gui.asyncMessageBox(I18n.GUI.getString("ProxyConfigurator.Message.warning.couldNotConnect"),
+						MessageType.WARNING, LOGGER, null);
+			}
+		}
+	}
+	
+	private static void initInternal() {
 		tryAllThriftVariants();
 		// Only try HTTPS if thrift succeeded
 		if (thriftCtx != null) {
-- 
cgit v1.2.3-55-g7522