Ah, that's it! I was using the TrustEverythingTrustManager <https://javadoc.io/static/com.rabbitmq/amqp-client/4.12.0/com/rabbitmq/client/TrustEverythingTrustManager.html> we had around from the rabbitmq client library, which just implements X509TrustManager, and I didn't realize that was significantly different from X509ExtendedTrustManager. Looks like it's working now, thanks!
On Fri, May 26, 2023 at 3:24 AM Mark Thomas <ma...@apache.org> wrote: > On 25/05/2023 22:52, V User wrote: > > > The how-to on websockets ( > > https://tomcat.apache.org/tomcat-9.0-doc/web-socket-howto.html) says > that > > you can bypass hostname verification with a custom TrustManager: "For > > secure server endpoints, host name verification is enabled by default. To > > bypass this verification (not recommended), it is necessary to provide a > > custom SSLContext via the org.apache.tomcat.websocket.SSL_CONTEXT user > > property. The custom SSLContext must be configured with a custom > > TrustManager that extends javax.net.ssl.X509ExtendedTrustManager. The > > desired verification (or lack of verification) can then be controlled by > > appropriate implementations of the individual abstract methods." > > I have just confirmed that a custom trust manager that extends > X509ExtendedTrustManager and provides NO-OPs implementations for all > abstract methods works as expected with Java 8 (Temurin build > 1.8.0_362-b09) and OpenJDK 21 EA build 24. > > > I did a trial using an "accept everything" TrustManager, but was still > > seeing the same errors. Poking around with a debugger, it seems like the > > JSSE "AbstractTrustManagerWrapper" runs the configured TrustManager > checks, > > and then runs its own "additional" checks, which is where things are > > failing ( > > > https://github.com/JetBrains/jdk8u_jdk/blob/94318f9185757cc33d2b8d527d36be26ac6b7582/src/share/classes/sun/security/ssl/SSLContextImpl.java#L1097 > ). > > In particular, it seems like if the identity algorithm returned by > > "getEndpointIdentificationAlgorithm" is non-null, it runs some identity > > checks using X509TrustManagerImpl, regardless of what custom TrustManager > > was set by the end user. I also found this Stackoverflow question: > > > https://stackoverflow.com/questions/51244136/tomcat-websocket-disable-hostname-verification > , > > which led me to this hardcoded parameter in WsWebSocketContainer: > > > https://github.com/apache/tomcat/blob/db0c10ea25cc8984f72d700ea48f32aadc2fe2f4/java/org/apache/tomcat/websocket/WsWebSocketContainer.java#L928 > > . > > > > So, it seems to me that while you can disable *certificate* verification > by > > setting a custom TrustManager, you cannot disable *hostname* > verification. > > Is that correct, or am I missing some other option or parameter? > > Looks like you are missing something. > > I suggest you provide the source code for a simple test case that fails > for you. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
