Hi,
We have an application that uses the Jersey (2.36) javax.ws.rs.Client
class to make HTTP(S) requests. We have a requirement to disable the
Hostname Verification for HTTPS connections.
Depending on the context, we can back this javax.ws.rs.Client class by
different providers, one being the Jetty HttpClient, through the Jersey
JettyConnectorProvider.
Since the JettyConnectorProvider does not support/propagate the hostname
verifier provided through the Jersey "Client.hostnameVerifier()" method,
we are attempting to pass the Hostname Verifier by creating a Jetty
SslContextFactory, explicitly creating a Jetty HttpClient using this
SslContextFactory, and then registering this HttpClient on the
javax.ws.rs.Client using a JettyHttpClientSupplier:
final SSLContext sslContext = client.getSslContext(); // client is
javax.ws.rs.Client
final SslContextFactory sslContextFactory = new SslContextFactory.Client();
sslContextFactory.setSslContext(sslContext);
if (disableHostnameValidation) {
sslContextFactory.hostnameVerifier((hostname, sslSession) -> true);
}
final HttpClient httpClient = new HttpClient(sslContextFactory);
client.register(new JettyHttpClientSupplier(httpClient));
Question 1: is this expected to work? In our testing, this had no
effect, we still received the CertificateExceptions related to the
Subject Alternative Name list not containing a DNS entry for the
hostname that was used in the URL.
As an alternative to the above, we replace the
"sslContextFactory.hostnameVerifier()" call with:
sslContextFactory.setEndpointIdentificationAlgorithm(null);
With this change, we did not receive the CertificateExceptions anymore.
Question 2: we are worried that this doesn't only disable the hostname
check, but /also/ disables the check if the certificate was issued by a
trusted CA. Can somebody please confirm/clarify is this call only
affects the hostname check, or that it basically disables ALL trust
checking on the server certificate?
Kind regards, Maarten
_______________________________________________
jetty-users mailing list
[email protected]
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
