[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
[jersey-dev] [2.30.1] HostnameVerifier with ApacheConnector - SSLPeerUnverifiedException?
|
Hi,
I'm setting up my Client with NoopHostnameVerifier expecting the
hostname not to be verified against the server cert SAN (see code at
the bottom).
When I check getHostnameVerifier() of the Client instance, I get
HostnameVerifier -- as expected.
But at the same time I'm getting such exceptions:
javax.ws.rs.ProcessingException:
javax.net.ssl.SSLPeerUnverifiedException: Certificate for <nginx>
doesn't match any of the subject alternative names:
[kg.opendatahub.***.it]
I traced the cause to
org.apache.http.conn.ssl.SSLConnectionSocketFactory::verifyHostname
where I can inspect that this.hostnameVerifier is
DefaultHostnameVerifier, not the NoopHostnameVerifier.
How does this happen? Am I setting it up wrong? Or maybe there have
been bugs in this area?
Thanks.
// code
SSLContext ctx = SSLContext.getInstance("SSL");
ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
Registry<ConnectionSocketFactory> socketFactoryRegistry =
RegistryBuilder.<ConnectionSocketFactory>create().
register("https", new SSLConnectionSocketFactory(ctx)).
register("http", new PlainConnectionSocketFactory()).
build();
// https://github.com/eclipse-ee4j/jersey/issues/4449
PoolingHttpClientConnectionManager conman = new
PoolingHttpClientConnectionManager(socketFactoryRegistry)
{
@Override
public void close()
{
super.shutdown();
}
@Override
public void shutdown()
{
// Disable shutdown of the pool. This will be done
later, when this factory is closed
// This is a workaround for finalize method on jerseys
ClientRuntime which
// closes the client and shuts down the connection
pool when it is garbage collected
};
};
if (maxConnPerRoute != null)
conman.setDefaultMaxPerRoute(maxConnPerRoute);
if (maxTotalConn != null) conman.setMaxTotal(maxTotalConn);
ClientConfig config = new ClientConfig();
config.connectorProvider(new ApacheConnectorProvider());
config.register(MultiPartFeature.class);
...
config.property(ClientProperties.FOLLOW_REDIRECTS, true);
config.property(ApacheClientProperties.CONNECTION_MANAGER, conman);
if (keepAliveStrategy != null)
config.property(ApacheClientProperties.KEEPALIVE_STRATEGY,
keepAliveStrategy);
return ClientBuilder.newBuilder().
withConfig(config).
sslContext(ctx).
hostnameVerifier(NoopHostnameVerifier.INSTANCE).
build();
// end
Martynas
atomgraph.com