[FIXED JENKINS-12629]

Added the -noCertificateCheck option (the option name is consistent with
the slave.jar) that lets users bypass the HTTPS certificate check.

This allows trivial man-in-the-middle attack, so HTTPS will no longer be
HTTPS.

cli/src/main/java/hudson/cli/CLI.java

@@ -36,6 +36,11 @@ import org.codehaus.mojo.animal_sniffer.IgnoreJRERequirement;
 
 import javax.crypto.SecretKey;
 import javax.crypto.spec.SecretKeySpec;
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.TrustManager;
 import java.io.BufferedInputStream;
 import java.io.BufferedOutputStream;
 import java.io.BufferedReader;
@@ -60,6 +65,7 @@ import java.security.GeneralSecurityException;
 import java.security.KeyFactory;
 import java.security.KeyPair;
 import java.security.PublicKey;
+import java.security.SecureRandom;
 import java.security.Signature;
 import java.security.spec.DSAPrivateKeySpec;
 import java.security.spec.DSAPublicKeySpec;
@@ -400,6 +406,20 @@ public class CLI {
                 args = args.subList(2,args.size());
                 continue;
             }
+            if (head.equals("-noCertificateCheck")) {
+                System.out.println("Skipping HTTPS certificate checks altogether. Note that this is not secure at all.");
+                SSLContext context = SSLContext.getInstance("TLS");
+                context.init(null, new TrustManager[]{new NoCheckTrustManager()}, new SecureRandom());
+                HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory());
+                // bypass host name check, too.
+                HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
+                    public boolean verify(String s, SSLSession sslSession) {
+                        return true;
+                    }
+                });
+                args = args.subList(1,args.size());
+                continue;
+            }
             if(head.equals("-i") && args.size()>=2) {
                 File f = new File(args.get(1));
                 if (!f.exists()) {

cli/src/main/java/hudson/cli/NoCheckTrustManager.java

+package hudson.cli;
+
+import javax.net.ssl.TrustManager;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+
+/**
+ * @author Kohsuke Kawaguchi
+ */
+public class NoCheckTrustManager implements TrustManager {
+    public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
+    }
+
+    public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
+    }
+
+    public X509Certificate[] getAcceptedIssuers() {
+        return new X509Certificate[0];
+    }
+}

cli/src/main/resources/hudson/cli/client/Messages.properties

 CLI.Usage=Jenkins CLI\n\
   Usage: java -jar jenkins-cli.jar [-s URL] command [opts...] args...\n\
   Options:\n\
-  \ -s URL       : the server URL (defaults to the JENKINS_URL env var)\n\
-  \ -i KEY       : SSH private key file used for authentication\n\
-  \ -p HOST:PORT : HTTP proxy host and port for HTTPS proxy tunneling. See http://jenkins-ci.org/https-proxy-tunnel\n\
+   -s URL       : the server URL (defaults to the JENKINS_URL env var)\n\
+   -i KEY       : SSH private key file used for authentication\n\
+   -p HOST:PORT : HTTP proxy host and port for HTTPS proxy tunneling. See http://jenkins-ci.org/https-proxy-tunnel\n\
+   -noCertificateCheck : bypass HTTPS certificate check entirely. Use with caution\n\
   \n\
   The available commands depend on the server. Run the 'help' command to\n\
   see the list.