0

I'm developing a Java application (launched by Tomee) which needs to call, using JaxRS, an HTTPS server with its hostname, but the hostname is not resolved by the DNS.

In practice, my application creates a VM using Openstack API, so the IP address has been dynamically allocated during the lifetime of the application (which is why it's not solved by the DNS). But I have to call an HTTPS server running on that VM, for which the certificate was signed using a given hostname, so I MUST call it with https://hostname, and not with https://ip_address... I am not allowed to "play" with TLS configuration, by (for example) disabling Common Name check, so the only solution I see is to be able to "intercept" a DNS resolution request, to provide the good IP address to use.

The How to override DNS in HTTP connections in Java page shows a solution using Apache HttpClient - however, our microservice was entirely built on JaxRS, and I failed to find a way to do the same thing with it.

The client used is the v3.2.2 version of org.apache.cxf:cxf-rt-rs-client, provided by the Tomee we are based on.

Thanks for your attention!

dchiaramello
  • 1
  • 2
  • In various systems you can define how names are resolved, using the DNS or not. Like on Unix, with `/etc/nsswitch.conf`, you can decide to use `/etc/hosts` where you store a fixed mapping of names and IP addresses. But I would think this second solution is better: in various libraries you can separate data about the endpoint (that is host or IP address , and port name or number) and data "inside" the TLS handshake (name to use during SNI) and protocol data (like hostname put in HTTP `host` header). I would suggest checking if the library you use allows that. – Patrick Mevzek Oct 16 '19 at 16:11
  • Hello. My need is to be able to "intercept" the DNS resolution programmatically, the way it's explained in the StackOverflow subject I shared, but with JaxRS library (or the Apache implementation of that interface). The fact is that I could, at the same time, have deployed 2 VMs with the SAME certificate, so I want to be able to call both of them using the SAME hostname - which is why I need to intercept the DNS resolution and provide the good IP address, and not rely on /etc/host... But thanks for your answer anyways! Daniel – dchiaramello Oct 17 '19 at 06:33
  • "have deployed 2 VMs with the SAME certificate" which is completely normal and happens everywhere (think about webserver farms handling the same website...) – Patrick Mevzek Oct 17 '19 at 06:38
  • Well, I failed to determine if your comment was ironic or not... However, my question was if there's a possibiilty to dynamically override the DNS resolution with JaxRS the way it's done with HttpClient in the other StackOverflow subject, not to open a debate on certificate security! :) Thanks again anyways for your attention. – dchiaramello Oct 18 '19 at 06:54
  • Try a look here: https://stackoverflow.com/questions/55609297/custom-hostname-resolver-for-jax-rs-client?newreg=e66a32a8c77a4b048f6f89f3abdee91d – Giovanni Bartolomeo Dec 19 '20 at 10:27

0 Answers0