Hello Tomcat user group, I want a Tomcat-Servlet to connect to a secure web socket endpoint to exchange data with another component / server (so my Tomcat-Servlet is acting as a WebSocket client).
Now I would also like to do some hostname verification (verify that the host to which I am connecting matches the subject alternative name from the certificate) to prevent Man-in-the-middle attacks, see also [1]. I know that it is possible to provide an SSLContext to Tomcat through user properties [2]. But an javax.net.ssl.SSLContext does not provide any configuration options for hostname verifiers, see JavaDoc at [3], e.g., something like sslParams.setEndpointIdentificationAlgorithm("HTTPS"), as suggested by [4]. So one way to achieve this would be to patch org.apache.tomcat.websocket. WsWebSocketContainer.java in the method private SSLEngine createSSLEngine(Map<String,Object> userProperties) and introduce another user property. But maybe there are already other solutions available to achieve Hostname verification in Tomcat WebSocket clients. My code looks like this: import javax.websocket.ClientEndpointConfig; import javax.websocket.ContainerProvider; import javax.websocket.Session; import javax.websocket.WebSocketContainer; public class MyServlet extends HttpServlet { final String hostname = "otherpc"; @Override protected void doGet(final HttpServletRequest request, final HttpServletResponse response) throws ServletException, IOException { System.setProperty("javax.net.ssl.trustStorePassword", "My123456"); System.setProperty("javax.net.ssl.trustStoreType", "PKCS12"); System.setProperty("javax.net.ssl.trustStore", "C:\\RootCACertificate.pfx"); final URI uri = URI.create("wss://" + hostname + ":8443/websocket"); final WebSocketContainer container = ContainerProvider.getWebSocketContainer(); final ClientEndpointConfig config = ClientEndpointConfig.Builder.create().build(); final Session session = container.connectToServer(MyEndpoint.class, config, uri); // more stuff .... } What are your thoughts? Thank you very much for your time! Harald. [1] https://tersesystems.com/blog/2014/03/23/fixing-hostname-verification/ [2] https://www.mail-archive.com/users@tomcat.apache.org/msg125312.html [3] https://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLContext.html [4] https://stackoverflow.com/a/18174689 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org