Hi, On Mon, Mar 13, 2023 at 8:31 AM Maarten Boekhold <[email protected]> wrote: > > Hi, > > We have an application that uses the Jersey (2.36) javax.ws.rs.Client class > to make HTTP(S) requests. We have a requirement to disable the Hostname > Verification for HTTPS connections. > > Depending on the context, we can back this javax.ws.rs.Client class by > different providers, one being the Jetty HttpClient, through the Jersey > JettyConnectorProvider. > > Since the JettyConnectorProvider does not support/propagate the hostname > verifier provided through the Jersey "Client.hostnameVerifier()" method, we > are attempting to pass the Hostname Verifier by creating a Jetty > SslContextFactory, explicitly creating a Jetty HttpClient using this > SslContextFactory, and then registering this HttpClient on the > javax.ws.rs.Client using a JettyHttpClientSupplier: > > final SSLContext sslContext = client.getSslContext(); // client is > javax.ws.rs.Client > final SslContextFactory sslContextFactory = new SslContextFactory.Client(); > sslContextFactory.setSslContext(sslContext); > > if (disableHostnameValidation) { > sslContextFactory.hostnameVerifier((hostname, sslSession) -> true); > } > > final HttpClient httpClient = new HttpClient(sslContextFactory); > client.register(new JettyHttpClientSupplier(httpClient)); > > Question 1: is this expected to work? In our testing, this had no effect, we > still received the CertificateExceptions related to the Subject Alternative > Name list not containing a DNS entry for the hostname that was used in the > URL.
See https://www.eclipse.org/jetty/documentation/jetty-11/programming-guide/index.html#pg-client-http-configuration-tls. It works when you disable the EndpointIdentificationAlgorithm. > As an alternative to the above, we replace the > "sslContextFactory.hostnameVerifier()" call with: > > sslContextFactory.setEndpointIdentificationAlgorithm(null); > > With this change, we did not receive the CertificateExceptions anymore. > > Question 2: we are worried that this doesn't only disable the hostname check, > but also disables the check if the certificate was issued by a trusted CA. That is not the case, at least for the OpenJDK implementation. I recommend that if you need to do custom server name checks, you set EndpointIdentificationAlgorithm=null, *but* you set the hostnameVerifier, and verify that the server name is what you expect. Otherwise, an attacker can intercept your traffic, send down a CA-signed certificate for "evil.com", and if you don't verify the hostName you're now connected to evil.com. -- Simone Bordet ---- http://cometd.org http://webtide.com Developer advice, training, services and support from the Jetty & CometD experts. _______________________________________________ jetty-users mailing list [email protected] To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
