Do yourself a favor and understand the changes to the JVM when it comes to supporting localhost / loopback / ip-literals with TLS.
Eg: Newer JVMs do not support TLS on those kinds of endpoints. Joakim Erdfelt / [email protected] On Mon, Mar 13, 2023 at 7:07 AM Maarten Boekhold <[email protected]> wrote: > Hi Simone, (apologies for replying to you one-on-one the first time), > Thanks for your response. > > On 13/03/2023 14:18, Simone Bordet wrote: > > See > https://www.eclipse.org/jetty/documentation/jetty-11/programming-guide/index.html#pg-client-http-configuration-tls. > > > It works when you disable the EndpointIdentificationAlgorithm. > > ... > > As an alternative to the above, we replace the > "sslContextFactory.hostnameVerifier()" call with: > > sslContextFactory.setEndpointIdentificationAlgorithm(null); > > With this change, we did not receive the CertificateExceptions anymore. > > Question 2: we are worried that this doesn't only disable the hostname check, > but also disables the check if the certificate was issued by a trusted CA. > > That is not the case, at least for the OpenJDK implementation. > > I recommend that if you need to do custom server name checks, you set > EndpointIdentificationAlgorithm=null, *but* you set the > hostnameVerifier, and verify that the server name is what you expect. > > This is actually what led us to this second question. The documentation > says: > > However, requests made to sites (typically localhost) that have an invalid > (for example, expired or with a wrong host) or self-signed certificate will > fail (like they will in a browser). > > Certificate validation is performed at two levels: at the TLS > implementation level (in the JDK) and, optionally, at the application level. > > By default, certificate validation at the TLS level is enabled, while > certificate validation at the application level is disabled. > > You can configure the SslContextFactory.Client to skip certificate > validation at the TLS level: > > This seems to suggest that disabling the endpoint identification *also* > disables checks on the certificate such as expiration date and CA > signatory. > Regards, Maarten > _______________________________________________ > jetty-users mailing list > [email protected] > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/jetty-users >
_______________________________________________ jetty-users mailing list [email protected] To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
