From 809c7d33ea5ef2ffefa1dc31ace839155955600d Mon Sep 17 00:00:00 2001 From: Phil Hagelberg Date: Mon, 29 May 2017 15:55:49 -0700 Subject: [PATCH] Document what causes insecure HTTP repository errors. Fixes #2277. --- doc/FAQ.md | 21 ++++++++++++++++++++- leiningen-core/src/leiningen/core/main.clj | 9 ++++++++- 2 files changed, 28 insertions(+), 2 deletions(-) diff --git a/doc/FAQ.md b/doc/FAQ.md index 00ad1a75..10f8c596 100644 --- a/doc/FAQ.md +++ b/doc/FAQ.md @@ -216,6 +216,25 @@ property. * You should also check your system clock and make sure the time is accurate; it's possible to run into SSL connection failures if your clock is way out of sync. * If it still doesn't work, please see if any of [these 'ssl' labelled issues](https://github.com/technomancy/leiningen/issues?utf8=%E2%9C%93&q=is%3Aissue%20label%3Assl%20) might help +**Q:** I got "Tried to use insecure HTTP repository without TLS", what +is that about? +**A:** This means your project was configured to download dependencies +from a repository that does not use TLS encryption. This is very +insecure and exposes you to trivially-executed man-in-the-middle attacks. +In the rare event that you don't care about the security of the machines +running your project, you can re-enable support for unprotected repositories +by putting this in your `project.clj` file: + + ;; never do this + (require 'cemerick.pomegranate.aether) + (cemerick.pomegranate.aether/register-wagon-factory! + "http "#(org.apache.maven.wagon.providers.http.HttpWagon.)) + +It's also possible you have a dependency which includes a reference to +an insecure repository for retrieving its own dependencies. If this +happens it is strongly recommended to add an `:exclusion` and report a +bug with the dependency which does this. + **Q:** `lein`/`lein.bat` won't download `leiningen-x.y.z-SNAPSHOT.jar` **A:** You probably downloaded `lein`/`lein.bat` from the [master branch](https://github.com/technomancy/leiningen/tree/master/bin). Unless you plan to build leiningen yourself or help develop it, we suggest you use the latest stable version: [lein](https://raw.githubusercontent.com/technomancy/leiningen/stable/bin/lein)/[lein.bat](https://raw.githubusercontent.com/technomancy/leiningen/stable/bin/lein.bat) @@ -233,4 +252,4 @@ Prior to version 2.7.2, this is the workaround: ```clj :dependencies [[~(symbol "net.3scale" "3scale-api") "3.0.2"]] -``` \ No newline at end of file +``` diff --git a/leiningen-core/src/leiningen/core/main.clj b/leiningen-core/src/leiningen/core/main.clj index 4f4e8bd8..a5240a7a 100644 --- a/leiningen-core/src/leiningen/core/main.clj +++ b/leiningen-core/src/leiningen/core/main.clj @@ -5,8 +5,9 @@ [leiningen.core.utils :as utils] [clojure.java.io :as io] [clojure.string :as string] + [clojure.stacktrace :as stacktrace] [bultitude.core :as b] - [clojure.stacktrace :as stacktrace])) + [cemerick.pomegranate.aether :as aether])) (def aliases {"-h" "help", "-help" "help", "--help" "help", "-?" "help", "-v" "version", "-version" "version", "--version" "version", @@ -388,10 +389,16 @@ Get the latest version of Leiningen at http://leiningen.org or by executing :test-paths ^:replace []}) (project/init-project))) +(defn- insecure-http-abort [& _] + (abort "Tried to use insecure HTTP repository without TLS. +This is almost certainly a mistake; however in rare cases where it's +intentional please see `lein help faq` for details.")) + (defn -main "Command-line entry point." [& raw-args] (try + (aether/register-wagon-factory! "http" insecure-http-abort) (user/init) (let [project (if (.exists (io/file *cwd* "project.clj")) (project/read (str (io/file *cwd* "project.clj")))