[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [jersey-dev] [2.30.1] HostnameVerifier with ApacheConnector - SSLPeerUnverifiedException?
|
I realized this is due to the custom
PoolingHttpClientConnectionManager which sets its own
SSLConnectionSocketFactory.
I passed NoopHostnameVerifier.INSTANCE directly into it and the
problem went away:
Registry<ConnectionSocketFactory> socketFactoryRegistry =
RegistryBuilder.<ConnectionSocketFactory>create().
register("https", new SSLConnectionSocketFactory(ctx,
NoopHostnameVerifier.INSTANCE)).
register("http", new PlainConnectionSocketFactory()).
build();
Looks like ClientBuilder::hostnameVerifier has no effect in this case.
On Fri, Dec 10, 2021 at 10:36 PM Martynas Jusevičius
<martynas@xxxxxxxxxxxxx> wrote:
>
> Hi,
>
> I'm setting up my Client with NoopHostnameVerifier expecting the
> hostname not to be verified against the server cert SAN (see code at
> the bottom).
>
> When I check getHostnameVerifier() of the Client instance, I get
> HostnameVerifier -- as expected.
>
> But at the same time I'm getting such exceptions:
>
> javax.ws.rs.ProcessingException:
> javax.net.ssl.SSLPeerUnverifiedException: Certificate for <nginx>
> doesn't match any of the subject alternative names:
> [kg.opendatahub.***.it]
>
> I traced the cause to
> org.apache.http.conn.ssl.SSLConnectionSocketFactory::verifyHostname
> where I can inspect that this.hostnameVerifier is
> DefaultHostnameVerifier, not the NoopHostnameVerifier.
>
> How does this happen? Am I setting it up wrong? Or maybe there have
> been bugs in this area?
>
> Thanks.
>
> // code
>
> SSLContext ctx = SSLContext.getInstance("SSL");
> ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
>
> Registry<ConnectionSocketFactory> socketFactoryRegistry =
> RegistryBuilder.<ConnectionSocketFactory>create().
> register("https", new SSLConnectionSocketFactory(ctx)).
> register("http", new PlainConnectionSocketFactory()).
> build();
>
> // https://github.com/eclipse-ee4j/jersey/issues/4449
> PoolingHttpClientConnectionManager conman = new
> PoolingHttpClientConnectionManager(socketFactoryRegistry)
> {
>
> @Override
> public void close()
> {
> super.shutdown();
> }
>
> @Override
> public void shutdown()
> {
> // Disable shutdown of the pool. This will be done
> later, when this factory is closed
> // This is a workaround for finalize method on jerseys
> ClientRuntime which
> // closes the client and shuts down the connection
> pool when it is garbage collected
> };
>
> };
> if (maxConnPerRoute != null)
> conman.setDefaultMaxPerRoute(maxConnPerRoute);
> if (maxTotalConn != null) conman.setMaxTotal(maxTotalConn);
>
> ClientConfig config = new ClientConfig();
> config.connectorProvider(new ApacheConnectorProvider());
> config.register(MultiPartFeature.class);
> ...
> config.property(ClientProperties.FOLLOW_REDIRECTS, true);
> config.property(ApacheClientProperties.CONNECTION_MANAGER, conman);
> if (keepAliveStrategy != null)
> config.property(ApacheClientProperties.KEEPALIVE_STRATEGY,
> keepAliveStrategy);
>
> return ClientBuilder.newBuilder().
> withConfig(config).
> sslContext(ctx).
> hostnameVerifier(NoopHostnameVerifier.INSTANCE).
> build();
>
> // end
>
> Martynas
> atomgraph.com