[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
[jetty-users] Jetty HttpClient 9.4.44, Jersey Client 2.36, Hostname Verifier
|
Hi,
We have an application that uses the Jersey (2.36)
javax.ws.rs.Client class to make HTTP(S) requests. We have a
requirement to disable the Hostname Verification for HTTPS
connections.
Depending on the context, we can back this javax.ws.rs.Client
class by different providers, one being the Jetty HttpClient,
through the Jersey JettyConnectorProvider.
Since the JettyConnectorProvider does not support/propagate the
hostname verifier provided through the Jersey
"Client.hostnameVerifier()" method, we are attempting to pass the
Hostname Verifier by creating a Jetty SslContextFactory,
explicitly creating a Jetty HttpClient using this
SslContextFactory, and then registering this HttpClient on the
javax.ws.rs.Client using a JettyHttpClientSupplier:
final SSLContext sslContext =
client.getSslContext();
// client is javax.ws.rs.Client
final SslContextFactory sslContextFactory
= new SslContextFactory.Client();
sslContextFactory.setSslContext(sslContext);
if (disableHostnameValidation) {
sslContextFactory.hostnameVerifier((hostname, sslSession) ->
true);
}
final HttpClient httpClient = new
HttpClient(sslContextFactory);
client.register(new
JettyHttpClientSupplier(httpClient));
Question 1: is this expected to work? In our testing, this had no
effect, we still received the CertificateExceptions related to the
Subject Alternative Name list not containing a DNS entry for the
hostname that was used in the URL.
As an alternative to the above, we replace the
"sslContextFactory.hostnameVerifier()" call with:
sslContextFactory.setEndpointIdentificationAlgorithm(null);
With this change, we did not receive the CertificateExceptions
anymore.
Question 2: we are worried that this doesn't only disable the
hostname check, but also disables the check if the
certificate was issued by a trusted CA. Can somebody please
confirm/clarify is this call only affects the hostname check, or
that it basically disables ALL trust checking on the server
certificate?
Kind regards, Maarten