aliyun
diff --git a/‎src/main/java/com/aliyun/oss/ClientConfiguration.java‎
Lines changed: 107 additions & 1 deletion b/‎src/main/java/com/aliyun/oss/ClientConfiguration.java‎
Lines changed: 107 additions & 1 deletion
diff --git a/‎src/main/java/com/aliyun/oss/common/comm/DefaultServiceClient.java‎
Lines changed: 89 additions & 11 deletions b/‎src/main/java/com/aliyun/oss/common/comm/DefaultServiceClient.java‎
Lines changed: 89 additions & 11 deletions
@@ -28,6 +28,10 @@
 import java.util.Date;
 import java.util.concurrent.locks.Lock;
 import java.util.concurrent.locks.ReentrantLock;
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.X509TrustManager;
+import java.security.SecureRandom;
 
 import com.aliyun.oss.common.auth.RequestSigner;
 import com.aliyun.oss.common.comm.IdleConnectionReaper;
@@ -107,6 +111,12 @@ public class ClientConfiguration {
 
     private boolean redirectEnable = true;
 
+    private boolean verifySSLEnable = true;
+    private KeyManager[] keyManagers = null;
+    private X509TrustManager[] x509TrustManagers = null;
+    private SecureRandom secureRandom = null;
+    private HostnameVerifier hostnameVerifier = null;
+
     public ClientConfiguration() {
         super();
         AppendDefaultExcludeList(this.cnameExcludeList);
@@ -726,7 +736,6 @@ public void setRetryStrategy(RetryStrategy retryStrategy) {
         this.retryStrategy = retryStrategy;
     }
 
-
     /**
      * Gets whether is enable redirection.
      *
@@ -746,6 +755,103 @@ public void setRedirectEnable(boolean redirectEnable) {
         this.redirectEnable = redirectEnable;
     }
 
+    /**
+     * Gets the flag of verifing SSL certificate. By default it's true.
+     *
+     * @return true verify SSL certificate;false ignore SSL certificate.
+     */
+    public boolean isVerifySSLEnable() {
+        return verifySSLEnable;
+    }
+
+    /**
+     * Sets the flag of verifing SSL certificate.
+     *
+     * @param verifySSLEnable
+     *            True to verify SSL certificate; False to ignore SSL certificate.
+     */
+    public void setVerifySSLEnable(boolean verifySSLEnable) {
+        this.verifySSLEnable = verifySSLEnable;
+    }
+
+    /**
+     * Gets the KeyManagers are responsible for managing the key material
+     * which is used to authenticate the local SSLSocket to its peer.
+     *
+     * @return the key managers.
+     */
+    public KeyManager[] getKeyManagers() {
+        return keyManagers;
+    }
+
+    /**
+     * Sets the key managers are responsible for managing the key material
+     * which is used to authenticate the local SSLSocket to its peer.
+     *
+     * @param keyManagers
+     *            the key managers
+     */
+    public void setKeyManagers(KeyManager[] keyManagers) {
+        this.keyManagers = keyManagers;
+    }
+
+    /**
+     * Gets the instance of this interface manage which X509 certificates
+     * may be used to authenticate the remote side of a secure socket.
+     *
+     * @return the x509 trust managers .
+     */
+    public X509TrustManager[] getX509TrustManagers() {
+        return x509TrustManagers;
+    }
+
+    /**
+     * Sets the instance of this interface manage which X509 certificates
+     * may be used to authenticate the remote side of a secure socket.
+     *
+     * @param x509TrustManagers
+     *            x509 trust managers
+     */
+    public void setX509TrustManagers(X509TrustManager[] x509TrustManagers) {
+        this.x509TrustManagers = x509TrustManagers;
+    }
 
+    /**
+     * Gets the cryptographically strong random number.
+     *
+     * @return random number.
+     */
+    public SecureRandom getSecureRandom() {
+        return secureRandom;
+    }
+
+    /**
+     * Sets the cryptographically strong random number.
+     *
+     * @param secureRandom
+     *            the cryptographically strong random number
+     */
+    public void setSecureRandom(SecureRandom secureRandom) {
+        this.secureRandom = secureRandom;
+    }
+
+    /**
+     * Gets the instance of this interface for hostname verification.
+     *
+     * @return the hostname verification instance.
+     */
+    public HostnameVerifier getHostnameVerifier() {
+        return hostnameVerifier;
+    }
+
+    /**
+     * Sets instance of this interface for hostname verification.
+     *
+     * @param hostnameVerifier
+     *            the hostname verification instance
+     */
+    public void setHostnameVerifier(HostnameVerifier hostnameVerifier) {
+        this.hostnameVerifier = hostnameVerifier;
+    }
 
 }
@@ -23,10 +23,14 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.lang.reflect.Method;
+import java.security.KeyStore;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
 
-import javax.net.ssl.SSLContext;
+import javax.net.ssl.*;
 
 import org.apache.commons.codec.binary.Base64;
 import org.apache.http.Header;
@@ -47,16 +51,15 @@
 import org.apache.http.conn.HttpClientConnectionManager;
 import org.apache.http.conn.socket.ConnectionSocketFactory;
 import org.apache.http.conn.socket.PlainConnectionSocketFactory;
+import org.apache.http.conn.ssl.DefaultHostnameVerifier;
 import org.apache.http.conn.ssl.NoopHostnameVerifier;
 import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
-import org.apache.http.conn.ssl.TrustStrategy;
 import org.apache.http.impl.auth.BasicScheme;
 import org.apache.http.impl.client.BasicAuthCache;
 import org.apache.http.impl.client.BasicCredentialsProvider;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClients;
 import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
-import org.apache.http.ssl.SSLContextBuilder;
 
 import com.aliyun.oss.ClientConfiguration;
 import com.aliyun.oss.ClientErrorCode;
@@ -232,23 +235,49 @@ protected CloseableHttpClient createHttpClient(HttpClientConnectionManager conne
     }
 
     protected HttpClientConnectionManager createHttpClientConnectionManager() {
-        SSLContext sslContext = null;
+        SSLConnectionSocketFactory sslSocketFactory = null;
         try {
-            sslContext = new SSLContextBuilder().loadTrustMaterial(null, new TrustStrategy() {
+            List<TrustManager> trustManagerList = new ArrayList<TrustManager>();
+            X509TrustManager[] trustManagers = config.getX509TrustManagers();
 
-                @Override
-                public boolean isTrusted(X509Certificate[] chain, String authType) throws CertificateException {
-                    return true;
+            if (null != trustManagers) {
+                trustManagerList.addAll(Arrays.asList(trustManagers));
+            }
+
+            // get trustManager using default certification from jdk
+            TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+            tmf.init((KeyStore) null);
+            trustManagerList.addAll(Arrays.asList(tmf.getTrustManagers()));
+
+            final List<X509TrustManager> finalTrustManagerList = new ArrayList<X509TrustManager>();
+            for (TrustManager tm : trustManagerList) {
+                if (tm instanceof X509TrustManager) {
+                    finalTrustManagerList.add((X509TrustManager) tm);
                 }
+            }
+            CompositeX509TrustManager compositeX509TrustManager = new CompositeX509TrustManager(finalTrustManagerList);
+            compositeX509TrustManager.setVerifySSL(config.isVerifySSLEnable());
+            KeyManager[] keyManagers = null;
+            if (config.getKeyManagers() != null) {
+                keyManagers = config.getKeyManagers();
+            }
 
-            }).build();
+            SSLContext sslContext = SSLContext.getInstance("TLS");
+            sslContext.init(keyManagers, new TrustManager[]{compositeX509TrustManager}, config.getSecureRandom());
 
+            HostnameVerifier hostnameVerifier = null;
+            if (!config.isVerifySSLEnable()) {
+                hostnameVerifier = new NoopHostnameVerifier();
+            } else if (config.getHostnameVerifier() != null) {
+                hostnameVerifier = config.getHostnameVerifier();
+            } else {
+                hostnameVerifier = new DefaultHostnameVerifier();
+            }
+            sslSocketFactory = new SSLConnectionSocketFactory(sslContext, hostnameVerifier);
         } catch (Exception e) {
             throw new ClientException(e.getMessage());
         }
 
-        SSLConnectionSocketFactory sslSocketFactory = new SSLConnectionSocketFactory(sslContext,
-                NoopHostnameVerifier.INSTANCE);
         Registry<ConnectionSocketFactory> socketFactoryRegistry = RegistryBuilder.<ConnectionSocketFactory> create()
                 .register(Protocol.HTTP.toString(), PlainConnectionSocketFactory.getSocketFactory())
                 .register(Protocol.HTTPS.toString(), sslSocketFactory).build();
@@ -314,4 +343,53 @@ private static Method getClassMethd(Class<?> clazz, String methodName) {
         } catch (Exception e) {
         }
     }
+
+    private class CompositeX509TrustManager implements X509TrustManager {
+
+        private final List<X509TrustManager> trustManagers;
+        private boolean verifySSL = true;
+
+        public boolean isVerifySSL() {
+            return this.verifySSL;
+        }
+
+        public void setVerifySSL(boolean verifySSL) {
+            this.verifySSL = verifySSL;
+        }
+
+        public CompositeX509TrustManager(List<X509TrustManager> trustManagers) {
+            this.trustManagers = trustManagers;
+        }
+
+        @Override
+        public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+            // do nothing
+        }
+
+        @Override
+        public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+            if (!verifySSL) {
+                return;
+            }
+            for (X509TrustManager trustManager : trustManagers) {
+                try {
+                    trustManager.checkServerTrusted(chain, authType);
+                    return; // someone trusts them. success!
+                } catch (CertificateException e) {
+                    // maybe someone else will trust them
+                }
+            }
+            throw new CertificateException("None of the TrustManagers trust this certificate chain");
+        }
+
+        @Override
+        public X509Certificate[] getAcceptedIssuers() {
+            List<X509Certificate> certificates = new ArrayList<X509Certificate>();
+            for (X509TrustManager trustManager : trustManagers) {
+                certificates.addAll(Arrays.asList(trustManager.getAcceptedIssuers()));
+            }
+            X509Certificate[] certificatesArray = new X509Certificate[certificates.size()];
+            return certificates.toArray(certificatesArray);
+        }
+    }
 }