3

A small question regarding Netty and io.netty.handler.ssl.SslContext

In Tomcat and org.apache.http.ssl.SSLContexts, we have the possibility to perform the following:

HttpClient httpClient = HttpClients.custom() .setSSLContext(SSLContexts.custom() .loadKeyMaterial(someKeystorePropertlyInitialized) .loadTrustMaterial(someTruststorePropertlyInitialized) .build()) .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE) .build();

(Appreciate if we can leave the fonts and not wrap inside a code block)

This can for instance fix issues such as Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching xxx found (This question is not about if NoopHostnameVerifier.INSTANCE is the proper way to fix this.)

My question is, what is the equivalent in Netty of .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE), without .trustManager(InsecureTrustManagerFactory.INSTANCE), because I have a real trust store, I just want to skip the host name, not everything

Maybe something with reactor.netty.http.client.HttpClient; HttpClient.create() ?

PatPanda
  • 3,644
  • 9
  • 58
  • 154
  • 1
    This may help : https://stackoverflow.com/questions/41064432/disable-hostname-verification-in-io-netty-handler-ssl-sslcontext – pyb Oct 04 '20 at 01:45
  • Does this answer your question? [Disable hostname verification in io.netty.handler.ssl.Sslcontext](https://stackoverflow.com/questions/41064432/disable-hostname-verification-in-io-netty-handler-ssl-sslcontext) – pyb Oct 04 '20 at 01:46
  • 1
    Hello @pyb, thank you for the links. I forgot to mention in my question, without habing to do InsecureTrustManagerFactory.INSTANCE, because I do not want to skip everything, just the host name. Good catch, question edited. – PatPanda Oct 04 '20 at 01:50

1 Answers1

0

Actually, Netty has hostname verification turned off by default -- see this issue. It looks like the library you're using (reactor-netty) might have it turned on. There appears to be a similar issue on reactor-netty's github which points to the solution, but the code snippet provided seems to do more than what's necessary. Essentially, all you need is to access the SSLEngine from the SslHandler and make sure the endpoint identification algorithm is empty/null:

HttpClient.create().secure(
        ssl -> ssl.sslContext(sslContext)
              .handlerConfigurator(handler-> {
                  SSLEngine engine = handler.engine();
                  SSLParameters params = new SSLParameters();
                  // ... set other SSL params
                  params.setEndpointIdentificationAlgorithm(null);
              })
);
spinlok
  • 3,561
  • 18
  • 27
  • CAn someone help me with `spring-webflux` I dont want to setup trust manager or other ssl stuff just want to enable `hostNameVerification` is there a property in spring or config changes when createing `WebClient` – Rookie007 Oct 08 '21 at 13:21
  • I had to set params.setEndpointIdentificationAlgorithm(""); – Patrick Dorn Mar 09 '22 at 15:58