Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[jetty-users] Jetty HttpClient 9.4.44, Jersey Client 2.36, Hostname Verifier


We have an application that uses the Jersey (2.36) class to make HTTP(S) requests. We have a requirement to disable the Hostname Verification for HTTPS connections.

Depending on the context, we can back this class by different providers, one being the Jetty HttpClient, through the Jersey JettyConnectorProvider.

Since the JettyConnectorProvider does not support/propagate the hostname verifier provided through the Jersey "Client.hostnameVerifier()" method, we are attempting to pass the Hostname Verifier by creating a Jetty SslContextFactory, explicitly creating a Jetty HttpClient using this SslContextFactory, and then registering this HttpClient on the using a JettyHttpClientSupplier:

final SSLContext sslContext = client.getSslContext(); // client is
final SslContextFactory sslContextFactory = new SslContextFactory.Client();

if (disableHostnameValidation) {
    sslContextFactory.hostnameVerifier((hostname, sslSession) -> true);

final HttpClient httpClient = new HttpClient(sslContextFactory);
client.register(new JettyHttpClientSupplier(httpClient));

Question 1: is this expected to work? In our testing, this had no effect, we still received the CertificateExceptions related to the Subject Alternative Name list not containing a DNS entry for the hostname that was used in the URL.

As an alternative to the above, we replace the "sslContextFactory.hostnameVerifier()" call with:


With this change, we did not receive the CertificateExceptions anymore.

Question 2: we are worried that this doesn't only disable the hostname check, but also disables the check if the certificate was issued by a trusted CA. Can somebody please confirm/clarify is this call only affects the hostname check, or that it basically disables ALL trust checking on the server certificate?

Kind regards, Maarten

Back to the top