Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Jetty HttpClient 9.4.44, Jersey Client 2.36, Hostname Verifier


On Mon, Mar 13, 2023 at 8:31 AM Maarten Boekhold <boekhold@xxxxxxx> wrote:
> Hi,
> We have an application that uses the Jersey (2.36) class to make HTTP(S) requests. We have a requirement to disable the Hostname Verification for HTTPS connections.
> Depending on the context, we can back this class by different providers, one being the Jetty HttpClient, through the Jersey JettyConnectorProvider.
> Since the JettyConnectorProvider does not support/propagate the hostname verifier provided through the Jersey "Client.hostnameVerifier()" method, we are attempting to pass the Hostname Verifier by creating a Jetty SslContextFactory, explicitly creating a Jetty HttpClient using this SslContextFactory, and then registering this HttpClient on the using a JettyHttpClientSupplier:
> final SSLContext sslContext = client.getSslContext(); // client is
> final SslContextFactory sslContextFactory = new SslContextFactory.Client();
> sslContextFactory.setSslContext(sslContext);
> if (disableHostnameValidation) {
>     sslContextFactory.hostnameVerifier((hostname, sslSession) -> true);
> }
> final HttpClient httpClient = new HttpClient(sslContextFactory);
> client.register(new JettyHttpClientSupplier(httpClient));
> Question 1: is this expected to work? In our testing, this had no effect, we still received the CertificateExceptions related to the Subject Alternative Name list not containing a DNS entry for the hostname that was used in the URL.


It works when you disable the EndpointIdentificationAlgorithm.

> As an alternative to the above, we replace the "sslContextFactory.hostnameVerifier()" call with:
> sslContextFactory.setEndpointIdentificationAlgorithm(null);
> With this change, we did not receive the CertificateExceptions anymore.
> Question 2: we are worried that this doesn't only disable the hostname check, but also disables the check if the certificate was issued by a trusted CA.

That is not the case, at least for the OpenJDK implementation.

I recommend that if you need to do custom server name checks, you set
EndpointIdentificationAlgorithm=null, *but* you set the
hostnameVerifier, and verify that the server name is what you expect.

Otherwise, an attacker can intercept your traffic, send down a
CA-signed certificate for "", and if you don't verify the
hostName you're now connected to

Simone Bordet
Developer advice, training, services and support
from the Jetty & CometD experts.

Back to the top