Re: Disabling hostname verification on websockets in Tomcat 8+

Fri, 26 May 2023 03:24:00 -0700 

On 25/05/2023 22:52, V User wrote:


The how-to on websockets (
https://tomcat.apache.org/tomcat-9.0-doc/web-socket-howto.html) says that
you can bypass hostname verification with a custom TrustManager: "For
secure server endpoints, host name verification is enabled by default. To
bypass this verification (not recommended), it is necessary to provide a
custom SSLContext via the org.apache.tomcat.websocket.SSL_CONTEXT user
property. The custom SSLContext must be configured with a custom
TrustManager that extends javax.net.ssl.X509ExtendedTrustManager. The
desired verification (or lack of verification) can then be controlled by
appropriate implementations of the individual abstract methods."



I have just confirmed that a custom trust manager that extends 
X509ExtendedTrustManager and provides NO-OPs implementations for all 
abstract methods works as expected with Java 8 (Temurin build 
1.8.0_362-b09) and OpenJDK 21 EA build 24.



I did a trial using an "accept everything" TrustManager, but was still
seeing the same errors. Poking around with a debugger, it seems like the
JSSE "AbstractTrustManagerWrapper" runs the configured TrustManager checks,
and then runs its own "additional" checks, which is where things are
failing (
https://github.com/JetBrains/jdk8u_jdk/blob/94318f9185757cc33d2b8d527d36be26ac6b7582/src/share/classes/sun/security/ssl/SSLContextImpl.java#L1097).
In particular, it seems like if the identity algorithm returned by
"getEndpointIdentificationAlgorithm" is non-null, it runs some identity
checks using X509TrustManagerImpl, regardless of what custom TrustManager
was set by the end user. I also found this Stackoverflow question:
https://stackoverflow.com/questions/51244136/tomcat-websocket-disable-hostname-verification,
which led me to this hardcoded parameter in WsWebSocketContainer:
https://github.com/apache/tomcat/blob/db0c10ea25cc8984f72d700ea48f32aadc2fe2f4/java/org/apache/tomcat/websocket/WsWebSocketContainer.java#L928
.

So, it seems to me that while you can disable *certificate* verification by
setting a custom TrustManager, you cannot disable *hostname* verification.
Is that correct, or am I missing some other option or parameter?


Looks like you are missing something.


I suggest you provide the source code for a simple test case that fails 
for you.


Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to