Currently OpenNMS would send an HTTPS request to an IP address (not a name), and if the SSL certificate of the web server in question does not contain this IP, the connection fails with a handshake error.

The default value of useSSLFilter = FALSE, which would imply that there should be no certificate validation.

This is how it seems to work in pseudo code:

WebDetector.useSSLFilter = FALSE;
new WebClient(useSSLFilter) {
m_overrideSSL = useSSLFilter;
if (m_overrideSSL = TRUE)
HttpClientWrapper.trustSelfSigned();
}

To me, useSSLFilter and m_overrideSSL means the opposite thing, yet they are treated equally in the code as far as I can see.

I propose the following solution:

• In WebDetector.java, the boolean meaning of useSSLFilter should be converted to m_overrideSSL, before it is sent to WebClient.

• In WebClient.java, call HttpClientWrapper.useRelaxedSSL() instead of trustSelfSigned() if SSL-filtering is turned off.

I was testing with OpenNMS 16.0.4.

I am trying to use the parameter useSSLFilter with provisiond service detection using the class org.opennms.netmgt.provision.detector.web.WebDetector. However, setting useSSLFilter to either true or false (either case), still causes a service rescan to report "javax.net.ssl.SSLHandshakeException: SSL handshake failed." in provisiond.log

Looking at the patch, it appears to only apply to capsd and pollerd, not provisiond. Can anyone who knows more comment on this?

Thanks!
Tim Miller Dyck

Merged to develop.