feat: add optional insecure TLS setting and fallback certificate support

- Added `useInsecureTLS` config option to disable TLS certificate validation for relay connections
  ⚠️ Not recommended; prefer installing Zulu 8 JDK or importing the relay certificate manually
- Improved TLS handling in broker HTTP connections:
  - Uses system-default TLS validation by default
  - Falls back to bundled cert `/certs/broker.e4mc.link.cert` if validation fails

Author: xhyrom

CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+## 1.0.2
+
+- **Added** a new configuration option: `useInsecureTLS`
+  This allows disabling TLS certificate validation for relay connections.
+  ⚠️ **Warning:** This is insecure and not recommended. It is strongly advised to install the Azul Zulu 8 JDK or manually import the relay certificate instead.
+  See [this comment](https://github.com/xhyrom/e4mc-retro/issues/2#issuecomment-3102506009) for detailed instructions and rationale.
+- **Improved TLS handling** for broker HTTP connections:
+  * If `useInsecureTLS` is enabled, the client uses an insecure trust manager that disables certificate validation.
+  * If disabled (default), the client first attempts to use the system-default TLS validation. If that fails, it falls back to a bundled custom trust manager using `/certs/broker.e4mc.link.cert`.
+
 ## 1.0.1
 
 - Fixed a bug where commands would not output and could crash due to a `NullPointerException` in the `sendCommandFeedback` mixin when `getServer()` returned null.

common/src/main/java/link/e4mc/Config.java

@@ -39,6 +39,14 @@ public class Config extends ReflectiveConfig {
     public final TrackedValue<String> relayHost = this.value("test.e4mc.link");
     public final TrackedValue<Integer> relayPort = this.value(25575);
 
+    @Comment("Disables TLS certificate validation for relay connections.\n"
+            + "Use this only as a last resort if you're experiencing SSL certificate errors.\n"
+            + "This is insecure and not recommended.\n"
+            + "Instead, it is strongly recommended to install the Azul Zulu 8 JDK, which avoids these issues.\n"
+            + "For a proper fix, including how to import the certificate manually, see:\n"
+            + "https://github.com/xhyrom/e4mc-retro/issues/2#issuecomment-3102506009")
+    public final TrackedValue<Boolean> useInsecureTLS = this.value(false);
+
     @Comment("Allows use of certain dedicated server commands such as /ban and /whitelist")
     public final TrackedValue<Boolean> restoreDedicatedCommands = this.value(true);
     @Comment("Whether to use whitelists on LAN worlds")

common/src/main/java/link/e4mc/QuiclimeSession.java

@@ -38,17 +38,22 @@
 import dev.xhyrom.e4mc.shadow.io.netty.handler.ssl.util.InsecureTrustManagerFactory;
 import dev.xhyrom.e4mc.shadow.io.netty.incubator.codec.quic.*;
 import link.e4mc.platform.Services;
+import link.e4mc.util.SSLUtil;
 import net.minecraft.ChatFormatting;
 import net.minecraft.client.Minecraft;
 import net.minecraft.network.chat.*;
 
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLException;
 import java.io.BufferedReader;
 import java.io.InputStreamReader;
 import java.net.HttpURLConnection;
 import java.net.InetAddress;
 import java.net.InetSocketAddress;
 import java.net.URL;
 import java.nio.charset.StandardCharsets;
+import java.security.SecureRandom;
 import java.util.List;
 import java.util.concurrent.TimeUnit;
 import java.util.function.Consumer;
@@ -269,6 +274,36 @@ private static BrokerResponse getRelay() throws Exception {
             conn.setRequestMethod("GET");
             conn.setRequestProperty("Accept", "application/json");
 
+            if (conn instanceof HttpsURLConnection) {
+                SSLContext sc = SSLContext.getInstance("TLS");
+
+                if (Config.INSTANCE.useInsecureTLS.value()) {
+                    E4mcClient.LOGGER.warn("Using insecure TLS for broker connection.\n"
+                            + "This disables SSL certificate validation and is not secure.\n"
+                            + "It is strongly recommended to install the Zulu 8 JDK or manually import the certificate.\n"
+                            + "See https://github.com/xhyrom/e4mc-retro/issues/2#issuecomment-3102506009 for details.");
+
+                    sc.init(null, InsecureTrustManagerFactory.INSTANCE.getTrustManagers(), new SecureRandom());
+                    ((HttpsURLConnection) conn).setSSLSocketFactory(sc.getSocketFactory());
+                } else {
+                    try {
+                        E4mcClient.LOGGER.info("Using system default TLS validation for broker connection.");
+
+                        conn.connect();
+                    } catch (SSLException e) {
+                        E4mcClient.LOGGER.warn("System default TLS validation failed, falling back to bundled cert.");
+
+                        sc.init(null, SSLUtil.createTrustManagersFromCert("/certs/broker.e4mc.link.cert"), new SecureRandom());
+
+                        conn = (HttpsURLConnection) url.openConnection();
+                        conn.setRequestMethod("GET");
+                        conn.setRequestProperty("Accept", "application/json");
+                        ((HttpsURLConnection) conn).setSSLSocketFactory(sc.getSocketFactory());
+                        conn.connect();
+                    }
+                }
+            }
+
             E4mcClient.LOGGER.info("req: GET " + url);
 
             int status = conn.getResponseCode();

common/src/main/java/link/e4mc/util/SSLUtil.java

@@ -0,0 +1,30 @@
+package link.e4mc.util;
+
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import java.io.InputStream;
+import java.security.KeyStore;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+
+public class SSLUtil {
+    public static TrustManager[] createTrustManagersFromCert(String certResourcePath) throws Exception {
+        try (InputStream certInputStream = SSLUtil.class.getResourceAsStream(certResourcePath)) {
+            if (certInputStream == null) {
+                throw new IllegalArgumentException("Certificate resource not found: " + certResourcePath);
+            }
+
+            CertificateFactory cf = CertificateFactory.getInstance("X.509");
+            Certificate caCert = cf.generateCertificate(certInputStream);
+
+            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+            keyStore.load(null, null);
+            keyStore.setCertificateEntry("caCert", caCert);
+
+            TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+            tmf.init(keyStore);
+
+            return tmf.getTrustManagers();
+        }
+    }
+}

common/src/main/resources/certs/broker.e4mc.link.cert

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE+TCCA+GgAwIBAgISBqFtI9Z34+g6vl6W9w36r6YDMA0GCSqGSIb3DQEBCwUA
+MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
+EwNSMTEwHhcNMjUwNzA1MDcxMjIwWhcNMjUxMDAzMDcxMjE5WjAbMRkwFwYDVQQD
+ExBicm9rZXIuZTRtYy5saW5rMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAlXIPYXE1/+XFEXRx0zqY+ElMB3V/X9lKQA9VEaqkHNIJwbF732eJ8/6helEg
+kSumAoH2pNFRb05SnOa+rYiiCF1TETcXCwprwJ2XB0rNkM8GJ8048w3wGBGCY5cN
+EbqbVaMJ8F8nOzZ4KqRHGHZQHdfZS6eNMbd4cItWsMaYEW+EuA7Xm4XsZ9QHGZmz
+3C8VA7/R6DiLiYnZggB5KtdKPvDq9wg2ei990ZOq1zVTbTWsmcfaCCmsnvB6uRhp
+VveKpIES5r4jlP49pOCMZi9P/rIC5oVFEwbYQJbze8BZ/9VbOUZ9fKFi1oN8mlA/
+HOkfD0Hb/z9FbQY3td2KTBAg9wIDAQABo4ICHTCCAhkwDgYDVR0PAQH/BAQDAgWg
+MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0G
+A1UdDgQWBBTU3ecHLJkIGxluI+bjklY8hlrUXTAfBgNVHSMEGDAWgBTFz0ak6vTD
+wHpslcQtsF6SLybjuTAzBggrBgEFBQcBAQQnMCUwIwYIKwYBBQUHMAKGF2h0dHA6
+Ly9yMTEuaS5sZW5jci5vcmcvMBsGA1UdEQQUMBKCEGJyb2tlci5lNG1jLmxpbmsw
+EwYDVR0gBAwwCjAIBgZngQwBAgEwLQYDVR0fBCYwJDAioCCgHoYcaHR0cDovL3Ix
+MS5jLmxlbmNyLm9yZy80LmNybDCCAQIGCisGAQQB1nkCBAIEgfMEgfAA7gB1AKRC
+xQZJYGFUjw/U6pz7ei0mRU2HqX8v30VZ9idPOoRUAAABl9mjWx8AAAQDAEYwRAIg
+KnbAuafDKVUyDrvtYzOY6C6wKvC+3hNCyZ3cx9+r05cCIHkHd5W+8zH9QQ125bRf
+IegR78U7lb7tPZiVHS6+XxUfAHUAzPsPaoVxCWX+lZtTzumyfCLphVwNl422qX5U
+wP5MDbAAAAGX2aNrbwAABAMARjBEAiAyr5PO1dSbl+b58L7/a1XoyNODPytYnnzB
+7flbiB/gvgIgcDlwyjePI/POa7/Y7NAI0uwi8XNvBhtR/eGMdnUgIhcwDQYJKoZI
+hvcNAQELBQADggEBACaumADPhtla2AHs4v9YI8Hoixi5FrsNiUBdTDAl20jpxXuI
+r83AfhgHNnZqBRkpizMU+rSA6QEEJjfkswRatjPfFJmNaecwj2LH/XLI0m2RTdt9
+ZlEi/r4EQCoi8u8A5bA9GKxMtDmBgCZU94QexvWNOHCrhDnh5x/JhOQhG1Vfd9/z
+e92fk5oxdT3lF2v/3ChQvkUJy0L5hlW312McMyD89H+njmU4NO0WR3Ctz4BJvBem
++pzknvxnGt0ZNNS4ijPAYiVul05a1gCd2QgzV9YL/q0dDDitjeejk9PAFItCTQGb
+2FXj3U7nZG0T1Vm7hfv9pfNS51SJIYiwLnEoJUQ=
+-----END CERTIFICATE-----

gradle.properties

@@ -12,5 +12,5 @@ forge_version=28.2.26
 ornithe_osl_version = 0.16.3
 
 mod_id = e4mc_retro_minecraft
-mod_version = 1.0.1
+mod_version = 1.0.2
 archives_base_name = e4mc-retro