Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Jetty HttpClient 9.4.44, Jersey Client 2.36, Hostname Verifier

Do yourself a favor and understand the changes to the JVM when it comes to supporting localhost / loopback / ip-literals with TLS.

Eg: Newer JVMs do not support TLS on those kinds of endpoints.

Joakim Erdfelt / joakim@xxxxxxxxxxx


On Mon, Mar 13, 2023 at 7:07 AM Maarten Boekhold <boekhold@xxxxxxx> wrote:

Hi Simone, (apologies for replying to you one-on-one the first time),

Thanks for your response.

On 13/03/2023 14:18, Simone Bordet wrote:
See https://www.eclipse.org/jetty/documentation/jetty-11/programming-guide/index.html#pg-client-http-configuration-tls.
It works when you disable the EndpointIdentificationAlgorithm.
...

      
As an alternative to the above, we replace the "sslContextFactory.hostnameVerifier()" call with:

sslContextFactory.setEndpointIdentificationAlgorithm(null);

With this change, we did not receive the CertificateExceptions anymore.

Question 2: we are worried that this doesn't only disable the hostname check, but also disables the check if the certificate was issued by a trusted CA.
That is not the case, at least for the OpenJDK implementation.

I recommend that if you need to do custom server name checks, you set
EndpointIdentificationAlgorithm=null, *but* you set the
hostnameVerifier, and verify that the server name is what you expect.
This is actually what led us to this second question. The documentation says:

However, requests made to sites (typically localhost) that have an invalid (for example, expired or with a wrong host) or self-signed certificate will fail (like they will in a browser).

Certificate validation is performed at two levels: at the TLS implementation level (in the JDK) and, optionally, at the application level.

By default, certificate validation at the TLS level is enabled, while certificate validation at the application level is disabled.

You can configure the SslContextFactory.Client to skip certificate validation at the TLS level:

This seems to suggest that disabling the endpoint identification *also* disables checks on the certificate such as expiration date and CA signatory.

Regards, Maarten
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users

Back to the top