[jetty-users] Jetty HttpClient 9.4.44, Jersey Client 2.36, Hostname Veri

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jetty-users] Jetty HttpClient 9.4.44, Jersey Client 2.36, Hostname Verifier

From: Maarten Boekhold <boekhold@xxxxxxx>
Date: Mon, 13 Mar 2023 11:26:15 +0400
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-users/>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>
Ui-outboundreport: notjunk:1;M01:P0:9oGlHVCGNMY=;vyi4ic8wVy0DwwmfgHxhal4Zdgb mA0XhJdzX5aeQaY3ez8zVoddT4PcVVxXELIqYpxq+9qFDDBiwjOTtvZzcRFQvldmuyDMTOH3Z hx2bb4eN4k8Q3iuoI+DsfKia5b+tIjNiM17uhG4Pofxd3owK0rK/b86SDWbuKL6cRB46VbMKn QWfhTg+KQfHWhcpONv9Cn4pTVZmqp4CTqDYRvN0uqLG3kJHr343x5886dvEE61o2vIYgP7SmQ Vs4HvQY4dYi0vUf60q1g6cyT0UXI1AbKhp23EP/g/nWM7kFLLenqu2hhEEjfvYkALR5cVNhHd gp2lY4r0hVB9lfSBZVDRdxYrENdmqPPBEtYxLkcfMDL+UH5ojhJbyYMTrRnUguuVWsIA2FeOa tXZp4LqY+LPiC8kfYI/ZJymX4A6ca2RCvFzjvLVHrBD6/QlXKo8R3fah+YJfwrl0IJpI/l0sM jW+LCXyKWP58fjLfZ7TBw/QnNThcxEkF+uh2yN3T4sXwPyJr8laiLABVXs5RLT7Cx0BrqEYL2 BGku+rTUK2SPh93R1Qca+l/4s1Vw1bl2qPxJY0LkcaOgmGpqfbpNNtr+3yyovtuSbKcqt+dLT Ojz/MWsaMsbcttrnU2ckxcON5ecrpW4YhPwYY1mq0HLVHhA7nFwePD1Ee/e/sIZuwFxZBXOIY Ub9OH20eckh7RTsGBN3DZKF9sFWCOuTsenIxAuSOg2/9lQV27Z9hqMEFSYfjczv5xgjhFPFqo C11CFCKdetK2o/HhcxSdhN0XJuqunC7J9D7aiSIE7Y5C6mpVf7imATkxiKdX3cLr0gy+cuCbc 4fHMoUaR1L7Bye+UpZwGJg308SUvBmL+i214YYGMJEXcmcxCinJmc/Kii2jlGrcxjdeNTEM9P OGyGzoGa4I21gWYORNYs9CdTyCSwgUuRRD4fSAbmzZaWOOnMQIHtDyrvE0SyDUPD6x1sOPoHK H1ne9QJX/snjPzfs8NVFtsR2bQs=
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.7.1

Hi,

We have an application that uses the Jersey (2.36) javax.ws.rs.Client class to make HTTP(S) requests. We have a requirement to disable the Hostname Verification for HTTPS connections.

Depending on the context, we can back this javax.ws.rs.Client class by different providers, one being the Jetty HttpClient, through the Jersey JettyConnectorProvider.

Since the JettyConnectorProvider does not support/propagate the hostname verifier provided through the Jersey "Client.hostnameVerifier()" method, we are attempting to pass the Hostname Verifier by creating a Jetty SslContextFactory, explicitly creating a Jetty HttpClient using this SslContextFactory, and then registering this HttpClient on the javax.ws.rs.Client using a JettyHttpClientSupplier:

final SSLContext sslContext = client.getSslContext(); // client is javax.ws.rs.Client
final SslContextFactory sslContextFactory = new SslContextFactory.Client();
sslContextFactory.setSslContext(sslContext);

if (disableHostnameValidation) {
sslContextFactory.hostnameVerifier((hostname, sslSession) -> true);
}

final HttpClient httpClient = new HttpClient(sslContextFactory);
client.register(new JettyHttpClientSupplier(httpClient));

Question 1: is this expected to work? In our testing, this had no effect, we still received the CertificateExceptions related to the Subject Alternative Name list not containing a DNS entry for the hostname that was used in the URL.

As an alternative to the above, we replace the "sslContextFactory.hostnameVerifier()" call with:

sslContextFactory.setEndpointIdentificationAlgorithm(null);

With this change, we did not receive the CertificateExceptions anymore.

Question 2: we are worried that this doesn't only disable the hostname check, but also disables the check if the certificate was issued by a trusted CA. Can somebody please confirm/clarify is this call only affects the hostname check, or that it basically disables ALL trust checking on the server certificate?

Kind regards, Maarten

Follow-Ups:
- Re: [jetty-users] Jetty HttpClient 9.4.44, Jersey Client 2.36, Hostname Verifier
  - From: Simone Bordet
- Re: [jetty-users] Jetty HttpClient 9.4.44, Jersey Client 2.36, Hostname Verifier
  - From: Maarten Boekhold

Prev by Date: Re: [jetty-users] jetty-openid : honouring expiry time
Next by Date: Re: [jetty-users] Jetty HttpClient 9.4.44, Jersey Client 2.36, Hostname Verifier
Previous by thread: [jetty-users] jetty-openid : honouring expiry time
Next by thread: Re: [jetty-users] Jetty HttpClient 9.4.44, Jersey Client 2.36, Hostname Verifier
Index(es):
- Date
- Thread

Breadcrumbs