manticore 0.7.0-java → 0.9.0-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 508b2d2c3ce9fc25ca2ac915954807783cc8266aac23936a6896d103121a2f0c
-  data.tar.gz: a8ac97bd7fb22df23ac164d5f06f3a35c926d9eac57ae7bfb8e84c0c8d9e7907
+  metadata.gz: 281400646207bd8e4b34bed53610787e5b5d222c72fe5e82dd1d42d8f071f1be
+  data.tar.gz: 421a4a8f1c4f8e06a7d12377812da2613877877904c73d3d8375348fbb9e2103
 SHA512:
-  metadata.gz: 56a60c747c187ddd1255e5da7cbc2ad78570c2ebf5390841298f45366133b48c857df8ac7b7b8bdbbb5194546e3b3112a8c08b5109c66a1299f6fe787ae890fc
-  data.tar.gz: 78e29e767486b820f1d1a280ae4db04b1ad33eccb7da7538bae9e48116305b44d069dc13ee322484146f9cce28b6edf71e868d73be8e075957404c50a99416eb
+  metadata.gz: c72e625dc8aa526a1336c239ced7d46cebf9b16817f9c309b1caaa80028a14e959cbe342e745db69dfef8fd284b1413085a518322406ecab3e7a28725815a34f
+  data.tar.gz: 37774c46167abf4c8cb637580dc2cf91afc4311b8a284c17d48441ba00824ba0af41e47121780837caffef60632aa3c26bb075b323011a2fcb56fb055495e83c

data/.travis.yml

@@ -1,20 +1,22 @@
-dist: xenial
+dist: trusty # due Oracle JDK
 language: ruby
 cache:
   - bundler
   - directories:
     - $HOME/.m2
-rvm:
-  - jruby-9.1.17.0 # Ruby 2.3
-  - jruby-9.2.13.0 # Ruby 2.5
-jdk:
-  - openjdk9
-  - openjdk11
 before_install:
   - gem install bundler -v 1.17.3
 matrix:
   include:
     - rvm: jruby-head
-      jdk: openjdk10
+      jdk: openjdk11
+    - rvm: jruby-9.3.4.0 # Ruby 2.6
+      jdk: openjdk11
+    - rvm: jruby-9.2.20.0 # Ruby 2.5
+      jdk: oraclejdk8
+    - rvm: jruby-9.2.20.0
+      jdk: openjdk11
+    - rvm: jruby-9.1.17.0 # Ruby 2.3
+      jdk: openjdk8
   allow_failures:
     - rvm: jruby-head

data/CHANGELOG.md

@@ -1,10 +1,32 @@
-## v0.6
+### v0.9.0
+
+* [feat] revamped client.close to release resources (#108)
+* [fix] null password handling when loading keystore
+* [fix] ambiguous Java method selection
+* [refactor] revisit hostname verification (#103) 
+* [feat] ssl[:trust_strategy]: wrapper for `org.apache.http.conn.ssl.TrustStrategy` (#106)
+
+### v0.8.0
+
+* [feat] restore compat with (legacy) verify: false (#102)
+* Accept untrusted certs when SSL verify is disabled (#100)
+* [deps] update http-client to 4.5.13 (#99)
+
+## v0.7
+
+### v0.7.1
+
+* Don't override certificates with same Subject (#93)
+* Set Java cause for ManticoreException types (#96)
+* Fix SSL handshake hang indefinitely (#98)
 
 ### v0.7.0
 
 * Drop support for JRuby 1.7. It probably still works, but we don't test against it anymore
 * Fix a thread safety issue with regards to adding requests to the parallel execution queue while the client is already processing a queue (#80)
 
+## v0.6
+
 ### v0.6.4
 
 * client_cert and client_key now take the literal keys as strings, OpenSSL::X509::Certificate/OpenSSL::PKey::Pkey instances, or key file paths. (#77)

data/Gemfile

@@ -4,13 +4,15 @@ source 'https://rubygems.org'
 gemspec
 
 group :development, :test do
-  gem "net-http-server", "~> 0.2"
+  gem "rake-compiler", require: false
+  gem "simplecov"
+
   gem "rspec", "~> 3.0"
   gem "rspec-its"
-  gem "httpclient", "~> 2.3"
-  gem "rack", ">= 2.1.4"
-  gem "rake-compiler"
-  gem "gserver"
-  gem "simplecov"
-  gem "json"
+
+  gem "rack", ">= 2.1.4", require: false
+  gem "json", require: false
+  gem "webrick", require: false
+  gem "net-http-server", require: false
+  gem "gserver", require: false
 end

data/README.md

@@ -2,7 +2,7 @@
 
 **Note**: While I'll continue to maintain the library here, I've moved the canonical copy to Gitlab at https://gitlab.com/cheald/manticore - it is preferred that you submit issues and PRs there.
 
-[![Build Status](https://travis-ci.org/cheald/manticore.svg?branch=master)](https://travis-ci.org/cheald/manticore)
+[![Build Status](https://app.travis-ci.com/cheald/manticore.svg?branch=master)](https://app.travis-ci.com/cheald/manticore)
 
 Manticore is a fast, robust HTTP client built on the Apache HTTPClient libraries. It is only compatible with JRuby.
 
@@ -90,7 +90,11 @@ For detailed documentation, see the [full Manticore::Client documentation](http:
 Rather than using the Facade, you can create your own standalone Client instances. When you create a `Client`, you will pass various parameters that it will use to set up the pool.
 
 ```ruby
-client = Manticore::Client.new(request_timeout: 5, connect_timeout: 5, socket_timeout: 5, pool_max: 10, pool_max_per_route: 2)
+client = Manticore::Client.new(request_timeout: 5,
+                               connect_timeout: 5,
+                               socket_timeout: 5,
+                               pool_max: 10,
+                               pool_max_per_route: 2)
 ```
 
 Then, you can make requests from the client. Pooling and route maximum constraints are automatically managed:
@@ -122,11 +126,20 @@ per-route concurrency limits, and other neat things. In general, you should crea
 To set this up, you might create 2 pools, each configured for the task:
 
 ```ruby
-general_http_client    = Manticore::Client.new connect_timeout: 10, socket_timeout: 10, request_timeout: 10, follow_redirects: true, max_per_route: 2
+general_http_client    = Manticore::Client.new(connect_timeout: 10,
+                                               socket_timeout: 10,
+                                               request_timeout: 10,
+                                               follow_redirects: true,
+                                               max_per_route: 2)
 # With an OpenSSL CA store
-proxied_backend_client = Manticore::Client.new proxy: "https://backend.internal:4242", ssl: {ca_file: "my_certs.pem"}
+proxied_backend_client = Manticore::Client.new(proxy: "https://backend.internal:4242",
+                                               ssl: { ca_file: "my_certs.pem" })
 # Or with a .jks truststore
-# proxied_backend_client = Manticore::Client.new proxy: "https://backend.internal:4242", ssl: {truststore: "./truststore.jks", truststore_password: "s3cr3t"}
+proxied_backend_client = Manticore::Client.new(proxy: "https://backend.internal:4242",
+                                               ssl: {
+                                                 truststore: "./truststore.jks",
+                                                 truststore_password: "s3cr3t"
+                                               })
 ```
 
 This would create 2 separate request pools; the first would be configured with generous timeouts and redirect following, and would use the system

data/Rakefile

@@ -36,6 +36,7 @@ task :generate_certs do
     # Create the CA
     "#{openssl} genrsa 4096 | #{openssl} pkcs8 -topk8 -nocrypt -out #{root}/root-ca.key",
     "#{openssl} req -sha256 -x509 -newkey rsa:4096 -nodes -key #{root}/root-ca.key -sha256 -days 365 -out #{root}/root-ca.crt -subj \"/C=US/ST=The Internet/L=The Internet/O=Manticore CA/OU=Manticore/CN=localhost\"",
+    "#{openssl} req -sha256 -x509 -newkey rsa:4096 -nodes -key #{root}/root-ca.key -sha256 -days 365 -out #{root}/root-untrusted-ca.crt -subj \"/C=US/ST=The Darknet/L=The Darknet/O=Manticore CA/OU=Manticore/CN=localhost\"",
 
     # Create the client CSR, key, and signed cert
     "#{openssl} genrsa 4096 | #{openssl} pkcs8 -topk8 -nocrypt -out #{root}/client.key",
@@ -48,6 +49,7 @@ task :generate_certs do
     "#{openssl} req -sha256 -key #{root}/host.key -newkey rsa:4096 -out #{root}/host.csr -subj \"/C=US/ST=The Internet/L=The Internet/O=Manticore Host/OU=Manticore/CN=localhost\"",
     "#{openssl} x509 -req -in #{root}/host.csr -CA #{root}/root-ca.crt -CAkey #{root}/root-ca.key -CAcreateserial -out #{root}/host.crt -sha256 -days 1",
     "#{openssl} x509 -req -in #{root}/host.csr -CA #{root}/root-ca.crt -CAkey #{root}/root-ca.key -CAcreateserial -out #{root}/host-expired.crt -sha256 -days -7",
+    "#{openssl} x509 -req -in #{root}/host.csr -CA #{root}/root-untrusted-ca.crt -CAkey #{root}/root-ca.key -CAcreateserial -out #{root}/host-untrusted.crt -sha256 -days 1",
 
     "#{keytool} -import -file #{root}/root-ca.crt -alias rootCA -keystore #{root}/truststore.jks -noprompt -storepass test123",
     "#{openssl} pkcs12 -export -clcerts -out #{root}/client.p12 -inkey #{root}/client.key -in #{root}/client.crt -certfile #{root}/root-ca.crt -password pass:test123",

data/lib/manticore/client/trust_strategies.rb

@@ -0,0 +1,119 @@
+module Manticore
+  class Client
+    ##
+    # TrustStrategies is a utility module that provides helpers for
+    # working with org.apache.http.conn.ssl.TrustStrategy
+    module TrustStrategies
+      # Coerces to org.apache.http.conn.ssl.TrustStrategy, allowing nil pass-through
+      #
+      # @overload coerce(coercible)
+      #   @param coercible [nil|TrustStrategy]
+      #   @return [nil,TrustStrategy]
+      # @overload coerce(coercible)
+      #   @param coercible [Proc<(Array<OpenSSL::X509::Certificate>,String)>:Boolean]
+      #     A proc that accepts two arguments and returns a boolean value, and is effectively a
+      #     Ruby-native implementation of `org.apache.http.conn.ssl.TrustStrategy#isTrusted`.
+      #       @param cert_chain [Enumerable<OpenSSL::X509::Certificate>]: the peer's certificate chain
+      #       @param auth_type [String]: the authentication type based on the client certificate
+      #       @raise [OpenSSL::X509::CertificateError]: thrown if the certificate is not trusted or invalid
+      #       @return [Boolean]: true if the certificate can be trusted without verification by the trust manager,
+      #                          false otherwise.
+      #   @example: CA Trusted Fingerprint
+      #      ca_trusted_fingerprint = lambda do |cert_chain, type|
+      #        cert_chain.lazy
+      #                  .map(&:to_der)
+      #                  .map(&::Digest::SHA256.method(:hexdigest))
+      #                  .include?("324a87eebb19265ffb675dc345eb0f3b5d9de3f015159227a00fe552291d4cc4")
+      #      end
+      #      TrustStrategies.coerce(ca_trusted_fingerprint)
+      def self.coerce(coercible)
+        case coercible
+        when org.apache.http.conn.ssl.TrustStrategy, nil then coercible
+        when ::Proc                                      then CustomTrustStrategy.new(coercible)
+        else fail(ArgumentError, "No implicit conversion of #{coercible} to #{self}")
+        end
+      end
+
+      # Combines two possibly-nil TrustStrategies-coercible objects into a
+      # single org.apache.http.conn.ssl.TrustStrategy, or to nil if both are nil.
+      #
+      # @param lhs [nil|TrustStrategie#coerce]
+      # @param rhs [nil|TrustStrategies#coerce]
+      # @return [nil,org.apache.http.conn.ssl.TrustStrategy]
+      def self.combine(lhs, rhs)
+        return coerce(rhs) if lhs.nil?
+        return coerce(lhs) if rhs.nil?
+
+        CombinedTrustStrategy.new(coerce(lhs), coerce(rhs))
+      end
+    end
+
+    ##
+    # @api private
+    # A CombinedTrustStrategy can be used to bypass the Trust Manager if
+    # *EITHER* TrustStrategy trusts the provided certificate chain.
+    # @see TrustStrategies::combine
+    class CombinedTrustStrategy
+      include org.apache.http.conn.ssl.TrustStrategy
+
+      ##
+      # @api private
+      # @see TrustStrategies::combine
+      def initialize(lhs, rhs)
+        @lhs = lhs
+        @rhs = rhs
+        super()
+      end
+
+      ##
+      # @override (see org.apache.http.conn.ssl.TrustStrategy#isTrusted)
+      def trusted?(chain, type)
+        @lhs.trusted?(chain, type) || @rhs.trusted?(chain, type)
+      end
+    end
+
+
+    ##
+    # @api private
+    # A CustomTrustStrategy is an org.apache.http.conn.ssl.TrustStrategy
+    # defined with a proc that uses Ruby OpenSSL::X509::Certificates
+    # @see TrustStrategies::coerce(Proc)
+    class CustomTrustStrategy
+      include org.apache.http.conn.ssl.TrustStrategy
+
+      ##
+      # @see TrustStrategies.coerce(Proc)
+      def initialize(proc)
+        fail(ArgumentError, "2-arity proc required") unless proc.arity == 2
+        @trust_strategy = proc
+      end
+
+      CONVERT_JAVA_CERTIFICATE_TO_RUBY = -> (java_cert) { ::OpenSSL::X509::Certificate.new(java_cert.encoded) }
+      private_constant :CONVERT_JAVA_CERTIFICATE_TO_RUBY
+
+      ##
+      # @override (see org.apache.http.conn.ssl.TrustStrategy#isTrusted)
+      def trusted?(java_chain, type)
+        @trust_strategy.call(java_chain.lazy.map(&CONVERT_JAVA_CERTIFICATE_TO_RUBY), String.new(type))
+      rescue OpenSSL::X509::CertificateError => e
+        raise java_certificate_exception(e)
+      end
+
+      private
+
+      begin
+        # Ruby exceptions can be converted to Throwable since JRuby 9.2
+        Exception.new("sentinel").to_java(java.lang.Throwable)
+        def java_certificate_exception(ruby_certificate_error)
+          throwable = ruby_certificate_error.to_java(java.lang.Throwable)
+          java.security.cert.CertificateException.new(throwable)
+        end
+      rescue TypeError
+        def java_certificate_exception(ruby_certificate_error)
+          message = ruby_certificate_error.message
+          java.security.cert.CertificateException.new(message)
+        end
+      end
+    end
+  end
+end

data/lib/manticore/client.rb

@@ -69,10 +69,8 @@ module Manticore
     include_package "org.apache.http.client.config"
     include_package "org.apache.http.config"
     include_package "org.apache.http.conn.socket"
-    include_package "org.apache.http.impl"
     include_package "org.apache.http.impl.client"
     include_package "org.apache.http.impl.conn"
-    include_package "org.apache.http.impl.auth"
     include_package "org.apache.http.entity"
     include_package "org.apache.http.message"
     include_package "org.apache.http.params"
@@ -80,28 +78,46 @@ module Manticore
     include_package "org.apache.http.auth"
     include_package "java.util.concurrent"
     include_package "org.apache.http.client.protocol"
-    include_package "org.apache.http.conn.ssl"
     include_package "java.security.cert"
     include_package "java.security.spec"
     include_package "java.security"
-    include_package "org.apache.http.client.utils"
     java_import "org.apache.http.HttpHost"
     java_import "javax.net.ssl.SSLContext"
     java_import "org.manticore.HttpGetWithEntity"
     java_import "org.manticore.HttpDeleteWithEntity"
     java_import "org.apache.http.auth.UsernamePasswordCredentials"
+    java_import "org.apache.http.conn.ssl.DefaultHostnameVerifier"
+    java_import "org.apache.http.conn.ssl.NoopHostnameVerifier"
+    java_import "org.apache.http.conn.ssl.SSLConnectionSocketFactory"
+    java_import "org.apache.http.conn.ssl.TrustAllStrategy"
+    java_import "org.apache.http.conn.ssl.TrustSelfSignedStrategy"
+    java_import "org.apache.http.client.utils.URIBuilder"
+    java_import "org.apache.http.impl.DefaultConnectionReuseStrategy"
+    java_import "org.apache.http.impl.auth.BasicScheme"
+    java_import "org.apache.http.ssl.SSLContextBuilder"
+    java_import "org.apache.http.ssl.TrustStrategy"
 
     # This is a class rather than a proc because the proc holds a closure around
     # the instance of the Client that creates it.
     class ExecutorThreadFactory
-      include ::Java::JavaUtilConcurrent::ThreadFactory
+      include java.util.concurrent.ThreadFactory
+
+      java_import 'java.lang.Thread'
+
+      @@factory_no = java.util.concurrent.atomic.AtomicInteger.new
+
+      def initialize(client)
+        @thread_no = java.util.concurrent.atomic.AtomicInteger.new
+        @name_prefix = "manticore##{client.object_id}-#{@@factory_no.increment_and_get}-"
+      end
 
       def newThread(runnable)
-        thread = Executors.defaultThreadFactory.newThread(runnable)
-        thread.daemon = true
-        return thread
+        thread = Thread.new(runnable, @name_prefix + @thread_no.increment_and_get.to_s)
+        thread.setDaemon(true)
+        thread
       end
     end
+    private_constant :ExecutorThreadFactory
 
     include ProxiesInterface
 
@@ -159,10 +175,12 @@ module Manticore
     # @option options [Hash]            ssl                                        Hash of options for configuring SSL
     # @option options [Array<String>]   ssl[:protocols]            (nil)       A list of protocols that Manticore should accept
     # @option options [Array<String>]   ssl[:cipher_suites]        (nil)       A list of cipher suites that Manticore should accept
-    # @option options [Symbol]          ssl[:verify]               (:strict)   Hostname verification setting. Set to `:disable` to turn off hostname verification. Setting to `:browser` will
+    # @option options [Symbol]          ssl[:verify]               (:default)  Hostname verification setting. Set to `:none` to turn off hostname verification. Setting to `:browser` will
     #                                                                            cause Manticore to accept a certificate for *.foo.com for all subdomains and sub-subdomains (eg a.b.foo.com).
-    #                                                                            The default `:strict` is like `:browser` except it'll only accept a single level of subdomains for wildcards,
+    #                                                                            The default `:default` is like `:browser` but more strict - only accepts a single level of subdomains for wildcards,
     #                                                                            eg `b.foo.com` will be accepted for a `*.foo.com` certificate, but `a.b.foo.com` will not be.
+    # @option options [Client::TrustStrategiesInterface] ssl[:trust_strategy] (nil)     A trust strategy to use in addition to any built by `ssl[:verify]`.
+    #                                                                                                @see Client::TrustStrategiesInterface#coerce
     # @option options [String]          ssl[:truststore]          (nil)        Path to a custom trust store to use the verifying SSL connections
     # @option options [String]          ssl[:truststore_password] (nil)        Password used for decrypting the server trust store
     # @option options [String]          ssl[:truststore_type]     (nil)        Format of the trust store, ie "JKS" or "PKCS12". If left nil, the type will be inferred from the truststore filename.
@@ -175,8 +193,8 @@ module Manticore
     # @option options [boolean]         ssl[:track_state]         (false)      Turn on or off connection state tracking. This helps prevent SSL information from leaking across threads, but means that connections
     #                                                                             can't be shared across those threads. This should generally be left off unless you know what you're doing.
     def initialize(options = {})
-      @finalizers = []
-      self.class.shutdown_on_finalize self, @finalizers
+      @finalizer = Finalizer.new
+      self.class.shutdown_on_finalize self, @finalizer
 
       builder = client_builder
       builder.set_user_agent options.fetch(:user_agent, "Manticore #{VERSION}")
@@ -201,11 +219,7 @@ module Manticore
         builder.set_connection_reuse_strategy DefaultConnectionReuseStrategy.new
       end
 
-      socket_config_builder = SocketConfig.custom
-      socket_config_builder.set_so_timeout(options.fetch(:socket_timeout, DEFAULT_SOCKET_TIMEOUT) * 1000)
-      socket_config_builder.set_tcp_no_delay(options.fetch(:tcp_no_delay, true))
-      builder.set_default_socket_config socket_config_builder.build
-
+      builder.set_default_socket_config socket_config_from_options(options)
       builder.set_connection_manager pool(options)
 
       request_config = RequestConfig.custom
@@ -346,21 +360,58 @@ module Manticore
       end
     end
 
-    # Free resources associated with the CloseableHttpClient
-    def close
-      @client.close if @client
+    # Release resources held by this client, namely:
+    #  - close the internal http client
+    #  - shutdown the connection pool
+    #  - stops accepting async requests in the executor
+    #
+    # After this call the client is no longer usable.
+    # @note In versions before 0.9 this method only closed the underlying `CloseableHttpClient`
+    def close(await: nil)
+      ObjectSpace.undefine_finalizer(self)
+      @finalizer.call # which does ~ :
+      # @executor&.shutdown rescue nil
+      # @client&.close
+      # @pool&.shutdown rescue nil
+      @async_requests.close
+      case await
+      when false, nil
+        @executor&.shutdown_now rescue nil
+      when Numeric
+        # NOTE: the concept of awaiting gracefully might/should also be used with the pool/client closing
+        millis = java.util.concurrent.TimeUnit::MILLISECONDS
+        @executor&.await_termination(await * 1000, millis) rescue nil
+      else
+        nil
+      end
+    end
+
+    # @private
+    class Finalizer
+
+      def initialize
+        @_objs = []
+      end
+
+      def push(obj, args)
+        @_objs.unshift [java.lang.ref.WeakReference.new(obj), Array(args)]
+      end
+
+      def call(id = nil) # when called on finalization an object id arg is passed
+        @_objs.each { |obj, args| obj.get&.send(*args) rescue nil }
+      end
+
     end
+    private_constant :Finalizer
 
     # Get at the underlying ExecutorService used to invoke asynchronous calls.
     def executor
-      create_executor_if_needed
-      @executor
+      @executor ||= create_executor
     end
 
-    def self.shutdown_on_finalize(client, objs)
-      ObjectSpace.define_finalizer client, -> {
-                                     objs.each { |obj, args| obj.send(*args) rescue nil }
-                                   }
+    # @private
+    def self.shutdown_on_finalize(client, finalizer)
+      ObjectSpace.define_finalizer(client, finalizer)
     end
 
     protected
@@ -368,8 +419,9 @@ module Manticore
     # Takes an object and a message to pass to the object to destroy it. This is done rather than
     # a proc to avoid creating a closure that would maintain a reference to this client, which
     # would prevent the client from being cleaned up.
+    # @private
     def finalize(object, args)
-      @finalizers << [WeakRef.new(object), Array(args)]
+      @finalizer.push(object, args)
     end
 
     def url_as_regex(url)
@@ -389,7 +441,7 @@ module Manticore
 
       # :nocov:
       if options[:ignore_ssl_validation]
-        $stderr.puts "The options[:ignore_ssl_validation] setting is deprecated in favor of options[:ssl][:verify]"
+        warn "The options[:ignore_ssl_validation] setting is deprecated in favor of options[:ssl][:verify]"
         options[:ssl] ||= {}
         options[:ssl] = {:verify => !options.delete(:ignore_ssl_validation)}.merge(options[:ssl])
       end
@@ -407,22 +459,30 @@ module Manticore
           cm.set_validate_after_inactivity options.fetch(:check_connection_timeout, 2_000)
           cm.set_default_max_per_route options.fetch(:pool_max_per_route, @max_pool_size)
           cm.set_max_total @max_pool_size
+          cm.set_default_socket_config socket_config_from_options(options)
+
           finalize cm, :shutdown
         end
       end
     end
+    
+    def socket_config_from_options(options)
+      socket_config_builder = SocketConfig.custom
+      socket_config_builder.set_so_timeout(options.fetch(:socket_timeout, DEFAULT_SOCKET_TIMEOUT) * 1000)
+      socket_config_builder.set_tcp_no_delay(options.fetch(:tcp_no_delay, true))
+      socket_config_builder.build
+    end
 
-    def create_executor_if_needed
-      return @executor if @executor
-      @executor = Executors.new_cached_thread_pool(ExecutorThreadFactory.new)
-      finalize @executor, :shutdown
+    def create_executor
+      executor = Executors.new_cached_thread_pool(ExecutorThreadFactory.new(self))
+      finalize executor, :shutdown
+      executor
     end
 
     def request(klass, url, options, &block)
       req, context = request_from_options(klass, url, options)
       async = options.delete(:async)
       background = options.delete(:async_background)
-      create_executor_if_needed if (background || async)
       response = response_object_for(req, context, &block)
 
       if async
@@ -510,14 +570,13 @@ module Manticore
 
       if @use_cookies == :per_request
         store = BasicCookieStore.new
-        context.setAttribute(ClientContext.COOKIE_STORE, store)
+        context.setAttribute(ClientContext::COOKIE_STORE, store)
       end
 
       return req, context
     end
 
     def get_proxy_host(opt)
-      host = nil
       if opt.is_a? String
         uri = URI.parse(opt)
         if uri.host
@@ -602,23 +661,30 @@ module Manticore
 
     # Configure the SSL Context
     def ssl_socket_factory_from_options(ssl_options)
-      trust_store = trust_strategy = nil
-
-      verifier = SSLConnectionSocketFactory::STRICT_HOSTNAME_VERIFIER
-      case ssl_options.fetch(:verify, :strict)
-      when false, :disable, :none
-        trust_store = nil
-        trust_strategy = TrustSelfSignedStrategy.new
+      trust_strategy = nil
+
+      case ssl_options.fetch(:verify, :default)
+      when :none, :disable
+        trust_strategy = TrustAllStrategy::INSTANCE
+        verifier = NoopHostnameVerifier::INSTANCE
+      when false # compatibility
+        trust_strategy = TrustSelfSignedStrategy::INSTANCE
         verifier = SSLConnectionSocketFactory::ALLOW_ALL_HOSTNAME_VERIFIER
       when :browser
         verifier = SSLConnectionSocketFactory::BROWSER_COMPATIBLE_HOSTNAME_VERIFIER
-      when true, :strict, :default
+      when :default, true
+        verifier = DefaultHostnameVerifier.new
+      when :strict # compatibility
         verifier = SSLConnectionSocketFactory::STRICT_HOSTNAME_VERIFIER
       else
-        raise "Invalid value for :verify. Valid values are (:all, :browser, :default)"
+        raise "Invalid value for :verify. Valid values are (:default, :browser, :none)"
+      end
+
+      if ssl_options.include?(:trust_strategy)
+        trust_strategy = TrustStrategies.combine(trust_strategy, ssl_options.fetch(:trust_strategy))
       end
 
-      context = SSLContexts.custom
+      context = SSLContextBuilder.new
       setup_trust_store ssl_options, context, trust_strategy
       setup_key_store ssl_options, context
 
@@ -633,13 +699,13 @@ module Manticore
         trust_store ||= blank_keystore
         open(ssl_options[:ca_file]) do |fp|
           cert_collection = CertificateFactory.get_instance("X509").generate_certificates(fp.to_inputstream).to_a
-          cert_collection.each do |cert|
-            trust_store.set_certificate_entry(cert.getSubjectX500Principal.name, cert)
+          cert_collection.each_with_index do |cert, i|
+            trust_store.set_certificate_entry("#{i}#" + cert.getSubjectX500Principal.name, cert)
           end
         end
       end
 
-      context.load_trust_material(trust_store, trust_strategy)
+      context.java_send :loadTrustMaterial, [KeyStore, TrustStrategy], trust_store, trust_strategy
     end
 
     KEY_EXTRACTION_REGEXP = /(?:^-----BEGIN(.* )PRIVATE KEY-----\n)(.*?)(?:-----END\1PRIVATE KEY.*$)/m
@@ -651,7 +717,6 @@ module Manticore
       # Support OpenSSL-style bare X.509 certs with an RSA key
       if ssl_options[:client_cert] && ssl_options[:client_key]
         key_store ||= blank_keystore
-        certs, key = nil, nil
 
         cert_str = if ssl_options[:client_cert].is_a?(OpenSSL::X509::Certificate)
                      ssl_options[:client_cert].to_s
@@ -690,7 +755,7 @@ module Manticore
     def get_store(prefix, options)
       KeyStore.get_instance(options[:"#{prefix}_type"] || guess_store_type(options[prefix])).tap do |store|
         instream = open(options[prefix], "rb").to_inputstream
-        store.load(instream, options.fetch(:"#{prefix}_password", nil).to_java.toCharArray)
+        store.load(instream, options.fetch(:"#{prefix}_password", nil).to_java&.toCharArray)
       end
     end
 

data/lib/manticore/response.rb

@@ -11,14 +11,13 @@ module Manticore
   # @!attribute [r] callback_result
   #   @return Value returned from any given on_success/response block
   class Response
-    include_package "org.apache.http.client"
-    include_package "org.apache.http.util"
-    include_package "org.apache.http.protocol"
+
+    java_import "org.apache.http.client.ResponseHandler"
     java_import "org.apache.http.client.protocol.HttpClientContext"
-    java_import "java.util.concurrent.Callable"
+    java_import "org.apache.http.protocol.ExecutionContext"
 
-    include ResponseHandler
-    include Callable
+    include org.apache.http.client.ResponseHandler
+    include java.util.concurrent.Callable
 
     attr_accessor :background
     attr_reader :context, :request, :callback_result, :called, :future
@@ -54,15 +53,16 @@ module Manticore
         ex = Manticore::ConnectTimeout
       rescue Java::JavaNet::SocketException => e
         ex = Manticore::SocketException
-      rescue Java::OrgApacheHttpClient::ClientProtocolException, Java::JavaxNetSsl::SSLHandshakeException, Java::OrgApacheHttpConn::HttpHostConnectException,
-             Java::OrgApacheHttp::NoHttpResponseException, Java::OrgApacheHttp::ConnectionClosedException => e
+      rescue Java::OrgApacheHttpClient::ClientProtocolException, Java::JavaxNetSsl::SSLHandshakeException,
+             Java::OrgApacheHttpConn::HttpHostConnectException, Java::OrgApacheHttp::NoHttpResponseException,
+             Java::OrgApacheHttp::ConnectionClosedException => e
         ex = Manticore::ClientProtocolException
       rescue Java::JavaNet::UnknownHostException => e
         ex = Manticore::ResolutionFailure
       rescue Java::JavaLang::IllegalArgumentException => e
         ex = Manticore::InvalidArgumentException
       rescue Java::JavaLang::IllegalStateException => e
-        if e.message.match(/Connection pool shut down/)
+        if (e.message || '').index('Connection pool shut down')
           ex = Manticore::ClientStoppedException
         else
           @exception = e
@@ -75,7 +75,7 @@ module Manticore
 
       # TODO: If calling async, execute_complete may fail and then silently swallow exceptions. How do we fix that?
       if ex || @exception
-        @exception ||= ex.new(e.cause || e.message)
+        @exception ||= ex.new(e)
         @handlers[:failure].call @exception
         execute_complete
         nil
@@ -90,8 +90,8 @@ module Manticore
     # @return [String]
     def final_url
       call_once
-      last_request = context.get_attribute ExecutionContext.HTTP_REQUEST
-      last_host = context.get_attribute ExecutionContext.HTTP_TARGET_HOST
+      last_request = context.get_attribute ExecutionContext::HTTP_REQUEST
+      last_host = context.get_attribute ExecutionContext::HTTP_TARGET_HOST
       host = last_host.to_uri
       url = last_request.get_uri
       URI.join(host, url.to_s)