Skip to content

#2137: fix fix-vpn-tls-problem not detecting TLS certificate issues behind HTTP redirects#2138

Merged
hohwille merged 4 commits into
devonfw:mainfrom
maybeec:bugfix/2137-tls-redirect-detection
Jul 16, 2026
Merged

#2137: fix fix-vpn-tls-problem not detecting TLS certificate issues behind HTTP redirects#2138
hohwille merged 4 commits into
devonfw:mainfrom
maybeec:bugfix/2137-tls-redirect-detection

Conversation

@maybeec

@maybeec maybeec commented Jul 9, 2026

Copy link
Copy Markdown
Member

This PR fixes #2137

ide fix-vpn-tls-problem <url> reported success and did nothing when the given URL redirects (HTTP 30x) to another host whose certificate is the one actually being rejected (e.g. https://aka.ms/vs/17/release/vs_BuildTools.exe used by the msvc/rust installers). The commandlet probed reachability with a hand-rolled raw SSLSocket handshake against the requested host, so the publicly-trusted redirector (aka.ms) passed while the intercepted certificate on the redirect target was never seen. This did not reuse the central redirect-following HttpClient that the actual download uses.

Implemented changes:

  • Added HttpClientFactory (com.devonfw.tools.ide.io) as the single place that builds the redirect-following (Redirect.ALWAYS) HttpClient, and reused it in HttpDownloader, IdeaPluginDownloader and AbstractUrlUpdater (removing the duplicated builders).
  • Reworked TruststoreUtil to probe reachability via isUrlReachable(url, truststore) using that client (following redirects, honoring an optional custom truststore) instead of a raw SSLSocket, and added resolveEffectiveEndpoint(url) which follows redirects to determine the host that actually serves the content.
  • TruststoreCommandlet now probes the URL and captures the certificate from the effective (post-redirect) endpoint. Removed the now-dead raw-socket helpers (isReachable, verifyConnectionWithTruststore).
  • Actionable error on TLS download failuresNetworkStatusImpl now detects the (usually wrapped) SSLHandshakeException across the whole cause chain and logs a clear hint naming the failing URL, warning to verify the endpoint, and giving the ready-to-run ide fix-vpn-tls-problem <url> command. Previously that hint only fired for a raw IOException, so it was bypassed for the IllegalStateException the downloader throws — the user just saw an "unexpected error" and a stack trace (exactly the reported symptom).

Testing instructions

  1. Run mvn clean test — the new tests pass:
    • HttpClientFactoryTest — the central client always follows redirects.
    • TruststoreUtilTest#testResolveEffectiveEndpointFollowsRedirectToFinalHost — a request to server A is resolved to the redirected server B's port (two WireMock HTTPS servers on distinct ports).
    • TruststoreUtilTest#testIsUrlReachableFalseForUntrustedCertificateAndTrueWithCapturedCertificate — an untrusted self-signed endpoint is unreachable by default and reachable once its captured certificate is in the custom truststore.
    • TruststoreCommandletTest#testRunCapturesUntrustedCertificateFollowingRedirectAndConfiguresTruststore — the commandlet follows a redirect over HTTPS, captures the certificate, writes the truststore and configures IDE_OPTIONS.
    • NetworkStatusImplTest — a TLS trust error wrapped in a RuntimeException is still detected and reported with the failing URL and the ide fix-vpn-tls-problem <url> hint.
  2. Tests use a generated CN=localhost (SAN localhost/127.0.0.1) keystore (cli/src/test/resources/truststore/localhost.p12) so the JDK HttpClient hostname verification passes against WireMock.

Checklist for this PR

  • When running mvn clean test locally all tests pass and build is successful
  • PR title is of the form #«issue-id»: «brief summary» (e.g. #921: fixed setup.bat). If no issue ID exists, title only.
  • PR top-level comment summarizes what has been done and contains link to addressed issue(s)
  • PR and issue(s) have suitable labels
  • Issue is set to In Progress and assigned to you or there is no issue (might happen for very small PRs) — issue is assigned; board status "In Progress" still to be set manually
  • You followed all coding conventions
  • You have added the issue implemented by your PR in CHANGELOG.adoc unless issue is labeled with internal
  • You have formulated clear instructions on how to test your contribution under "Testing instructions"

Checklist for tool commandlets

Not applicable — this PR does not introduce a new tool commandlet; it fixes the existing fix-vpn-tls-problem commandlet.

@maybeec maybeec added commandlet ide sub-command bugfix PR that fixes a bug issue download download of tools, plugins, code from git, any HTTP traffic over the network proxy HTTP proxy support labels Jul 9, 2026
@github-project-automation github-project-automation Bot moved this to 🆕 New in IDEasy board Jul 9, 2026
@maybeec maybeec moved this from 🆕 New to Team Review in IDEasy board Jul 9, 2026
@maybeec
maybeec force-pushed the bugfix/2137-tls-redirect-detection branch from e9071fe to 872d900 Compare July 9, 2026 08:20
@coveralls

coveralls commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator

Coverage Report for CI Build 29489042311

Coverage increased (+0.3%) to 72.467%

Details

  • Coverage increased (+0.3%) from the base build.
  • Patch coverage: No coverable lines changed in this PR.
  • 45 coverage regressions across 5 files.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

45 previously-covered lines in 5 files lost coverage.

File Lines Losing Coverage Coverage
com/devonfw/tools/ide/util/TruststoreUtil.java 27 75.71%
com/devonfw/tools/ide/commandlet/TruststoreCommandlet.java 8 72.88%
com/devonfw/tools/ide/io/HttpDownloader.java 5 62.79%
com/devonfw/tools/ide/network/NetworkStatusImpl.java 4 73.08%
com/devonfw/tools/ide/os/MacOsHelper.java 1 75.63%

Coverage Stats

Coverage Status
Relevant Lines: 16753
Covered Lines: 12660
Line Coverage: 75.57%
Relevant Branches: 7476
Covered Branches: 4898
Branch Coverage: 65.52%
Branches in Coverage %: Yes
Coverage Strength: 3.2 hits per line

💛 - Coveralls

@maybeec
maybeec force-pushed the bugfix/2137-tls-redirect-detection branch 3 times, most recently from f88c7dc to 38a7a26 Compare July 9, 2026 09:47
…ehind HTTP redirects

Reuse the central redirect-following HttpClient (new HttpClientFactory) for the
truststore reachability check and capture the certificate from the effective
endpoint after following redirects (e.g. https://aka.ms/...), instead of a raw
SSLSocket handshake against the requested host.
@maybeec
maybeec force-pushed the bugfix/2137-tls-redirect-detection branch from 38a7a26 to 4022123 Compare July 9, 2026 10:04
@maybeec
maybeec requested a review from hohwille July 9, 2026 10:11
@maybeec maybeec added this to the release:2026.07.002 milestone Jul 9, 2026

@hohwille hohwille left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@maybeec thanks for your PR. Awesome job with solid fix, cleanup and great test enhancements. 👍
I first thought your test would actually rely on external URLs failing with ZScaler but then understood that it is cleanly isolated and only testing the error handling and TLS PKIX error.

Ready for merge.

@github-project-automation github-project-automation Bot moved this from Team Review to 👀 In review in IDEasy board Jul 16, 2026
@hohwille
hohwille merged commit 04aae4d into devonfw:main Jul 16, 2026
3 checks passed
@github-project-automation github-project-automation Bot moved this from 👀 In review to ✅ Done in IDEasy board Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bugfix PR that fixes a bug issue commandlet ide sub-command download download of tools, plugins, code from git, any HTTP traffic over the network proxy HTTP proxy support

Projects

Status: ✅ Done

Development

Successfully merging this pull request may close these issues.

fix-vpn-tls-problem does not detect TLS certificate issues behind HTTP redirects

3 participants