[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [jetty-users] Jetty HttpClient 9.4.44, Jersey Client 2.36, Hostname Verifier
|
Hi,
On Mon, Mar 13, 2023 at 8:31 AM Maarten Boekhold <boekhold@xxxxxxx> wrote:
>
> Hi,
>
> We have an application that uses the Jersey (2.36) javax.ws.rs.Client class to make HTTP(S) requests. We have a requirement to disable the Hostname Verification for HTTPS connections.
>
> Depending on the context, we can back this javax.ws.rs.Client class by different providers, one being the Jetty HttpClient, through the Jersey JettyConnectorProvider.
>
> Since the JettyConnectorProvider does not support/propagate the hostname verifier provided through the Jersey "Client.hostnameVerifier()" method, we are attempting to pass the Hostname Verifier by creating a Jetty SslContextFactory, explicitly creating a Jetty HttpClient using this SslContextFactory, and then registering this HttpClient on the javax.ws.rs.Client using a JettyHttpClientSupplier:
>
> final SSLContext sslContext = client.getSslContext(); // client is javax.ws.rs.Client
> final SslContextFactory sslContextFactory = new SslContextFactory.Client();
> sslContextFactory.setSslContext(sslContext);
>
> if (disableHostnameValidation) {
> sslContextFactory.hostnameVerifier((hostname, sslSession) -> true);
> }
>
> final HttpClient httpClient = new HttpClient(sslContextFactory);
> client.register(new JettyHttpClientSupplier(httpClient));
>
> Question 1: is this expected to work? In our testing, this had no effect, we still received the CertificateExceptions related to the Subject Alternative Name list not containing a DNS entry for the hostname that was used in the URL.
See https://www.eclipse.org/jetty/documentation/jetty-11/programming-guide/index.html#pg-client-http-configuration-tls.
It works when you disable the EndpointIdentificationAlgorithm.
> As an alternative to the above, we replace the "sslContextFactory.hostnameVerifier()" call with:
>
> sslContextFactory.setEndpointIdentificationAlgorithm(null);
>
> With this change, we did not receive the CertificateExceptions anymore.
>
> Question 2: we are worried that this doesn't only disable the hostname check, but also disables the check if the certificate was issued by a trusted CA.
That is not the case, at least for the OpenJDK implementation.
I recommend that if you need to do custom server name checks, you set
EndpointIdentificationAlgorithm=null, *but* you set the
hostnameVerifier, and verify that the server name is what you expect.
Otherwise, an attacker can intercept your traffic, send down a
CA-signed certificate for "evil.com", and if you don't verify the
hostName you're now connected to evil.com.
--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
