I am using Jetty HttpClient to make HTTPS requests. After establishing the SSL connection and before sending the data I would like to verify that I am talking to the intended server. Basically, if I want to send request to www.foo.com, then I want to verify that the server has certificate for that domain name.
One way to achieve this would be to create my own TrustManager and use it for creating SslContextFactory that is given to HttpClient. The available callbacks in the trust manager are:
checkServerTrusted(X509Certificate[] chain, String authType)
checkServerTrusted(X509Certificate[] chain, String authType,
Socket socket)
checkServerTrusted(X509Certificate[] chain, String authType,
SSLEngine engine)
In all the cases I have access to certificate but not the original request (I need the original domain name).
The second option that comes to mind would be to access the peer certificate from the HttpExchange descendant that I am using to make the request. For example, after calling HttpClient.send(exchange), I could access the peer certificate and perform the verification. However, there seems to be no way of getting access to SSL information (either peer certificates or SSLEngine or SSLSocket objects) from the exchange.
To top it off, HttpClient itself does not seem to do any verification of the certificate content. This means that there is no place for me to plug in my verification logic, and that HttpClient is vulnerable to DNS spoofing attacks (see http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf for discussion of the topic).
Can anyone give hints on where I could plug in the server name verification?
