[jersey-dev] [2.30.1] HostnameVerifier with ApacheConnector

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jersey-dev] [2.30.1] HostnameVerifier with ApacheConnector - SSLPeerUnverifiedException?

From: Martynas Jusevičius <martynas@xxxxxxxxxxxxx>
Date: Fri, 10 Dec 2021 22:36:00 +0100
Delivered-to: jersey-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jersey-dev/>
List-help: <mailto:jersey-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jersey-dev>, <mailto:jersey-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jersey-dev>, <mailto:jersey-dev-request@eclipse.org?subject=unsubscribe>

Hi,

I'm setting up my Client with NoopHostnameVerifier expecting the
hostname not to be verified against the server cert SAN (see code at
the bottom).

When I check getHostnameVerifier() of the Client instance, I get
HostnameVerifier -- as expected.

But at the same time I'm getting such exceptions:

    javax.ws.rs.ProcessingException:
javax.net.ssl.SSLPeerUnverifiedException: Certificate for <nginx>
doesn't match any of the subject alternative names:
[kg.opendatahub.***.it]

I traced the cause to
org.apache.http.conn.ssl.SSLConnectionSocketFactory::verifyHostname
where I can inspect that this.hostnameVerifier is
DefaultHostnameVerifier, not the NoopHostnameVerifier.

How does this happen? Am I setting it up wrong? Or maybe there have
been bugs in this area?

Thanks.

    // code

        SSLContext ctx = SSLContext.getInstance("SSL");
        ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);

        Registry<ConnectionSocketFactory> socketFactoryRegistry =
RegistryBuilder.<ConnectionSocketFactory>create().
            register("https", new SSLConnectionSocketFactory(ctx)).
            register("http", new PlainConnectionSocketFactory()).
            build();

        // https://github.com/eclipse-ee4j/jersey/issues/4449
        PoolingHttpClientConnectionManager conman = new
PoolingHttpClientConnectionManager(socketFactoryRegistry)
        {

            @Override
            public void close()
            {
                super.shutdown();
            }

            @Override
            public void shutdown()
            {
                // Disable shutdown of the pool. This will be done
later, when this factory is closed
                // This is a workaround for finalize method on jerseys
ClientRuntime which
                // closes the client and shuts down the connection
pool when it is garbage collected
            };

        };
        if (maxConnPerRoute != null)
conman.setDefaultMaxPerRoute(maxConnPerRoute);
        if (maxTotalConn != null) conman.setMaxTotal(maxTotalConn);

        ClientConfig config = new ClientConfig();
        config.connectorProvider(new ApacheConnectorProvider());
        config.register(MultiPartFeature.class);
        ...
        config.property(ClientProperties.FOLLOW_REDIRECTS, true);
        config.property(ApacheClientProperties.CONNECTION_MANAGER, conman);
        if (keepAliveStrategy != null)
config.property(ApacheClientProperties.KEEPALIVE_STRATEGY,
keepAliveStrategy);

        return ClientBuilder.newBuilder().
            withConfig(config).
            sslContext(ctx).
            hostnameVerifier(NoopHostnameVerifier.INSTANCE).
            build();

    // end

Martynas
atomgraph.com

Follow-Ups:
- Re: [jersey-dev] [2.30.1] HostnameVerifier with ApacheConnector - SSLPeerUnverifiedException?
  - From: Martynas Jusevičius

Prev by Date: Re: [jersey-dev] Settting FormDataMultiPart entity stream in ContainerRequestFilter
Next by Date: Re: [jersey-dev] [2.30.1] HostnameVerifier with ApacheConnector - SSLPeerUnverifiedException?
Previous by thread: [jersey-dev] Settting FormDataMultiPart entity stream in ContainerRequestFilter
Next by thread: Re: [jersey-dev] [2.30.1] HostnameVerifier with ApacheConnector - SSLPeerUnverifiedException?
Index(es):
- Date
- Thread

Breadcrumbs