0

Is there a java parameter in Java_options or other which can disable the host verification when ssl enabled. I need it in the level of the jdk setup not in code

Charles Duffy
  • 280,126
  • 43
  • 390
  • 441
Yaniv Rozenzweig
  • 11
  • 1
  • 2
  • I'd be very surprised if this existed; it would be a dangerous thing to create, because it would impact not just the specific application/connection for which it was intended but everything else done by the JVM as well. – Charles Duffy Nov 11 '22 at 17:36
  • I assume you need it "not in code" because you don't have source file but just classes or a precompiled jar? You can decompile and edit those; it's a bit of extra work, but entirely doable. – Charles Duffy Nov 11 '22 at 17:36
  • It's because its a product oracle identity manager and i dont want to open their code i want to by pass the problem – Yaniv Rozenzweig Nov 12 '22 at 09:58
  • Its temp solution until we get a ln upgrade of the code – Yaniv Rozenzweig Nov 12 '22 at 09:59
  • 1
    I find it hard to believe Oracle Identity Manager can not properly validate X509 certificates used in SSL/TLS connections against host names. Instead of disabling host verification, why not properly deploy correctly-configured certificates with Subject Alternative Names that match the DNS name(s) meant to access the systems identified by those certificates? – Andrew Henle Nov 12 '22 at 13:24
  • 1
    If the system you need to connect to has a certificate that's correct but can't be validated by this software release for whatever reason, it would be better to MITM yourself with a proxy having a certificate that _can_ be validated. – Charles Duffy Nov 12 '22 at 22:40
  • @CharlesDuffy *If the system you need to connect to has a certificate that's correct but can't be validated by this software release for whatever reason* True, but that would not be a [code smell](https://en.wikipedia.org/wiki/Code_smell), that would be a code **stench** strong enough to melt glass, peel paint off walls, and make your flesh dissolve. SSL/TLS connections done by the JVM would do proper hostname validation of the server certificate unless the code doing the connection does something to replace that with something broken. Someone would have had to actively break it. – Andrew Henle Nov 13 '22 at 13:29
  • 1
    Does this answer your question? [Java SSL: how to disable hostname verification](https://stackoverflow.com/questions/6031258/java-ssl-how-to-disable-hostname-verification) – Eugène Adell Nov 13 '22 at 13:31
  • @AndrewHenle, I've seen security products sold in the last five years by big-name companies that didn't support anything newer than SSLv3. The world is a messy place sometimes; occasionally an ugly hack of a workaround that contains the damage is defensible, if it's less ugly than the alternatives. – Charles Duffy Nov 13 '22 at 18:44
  • 1
    @AndrewHenle, ...I could also conceive of a situation where the network topology doesn't let the server do reverse DNS lookups to get the name used in a certificate and is failing validation for that reason. Not a _good_ excuse for anything, but I could see it leading to someone asking this question; and there are certainly ways to fix it less hacky and self-defeating than just turning off validation altogether. – Charles Duffy Nov 13 '22 at 18:48
  • @CharlesDuffy If something like that does happen to be the network configuration, then they've set up a network where there's no way to confirm they're actually connecting to the system they're trying to connect to. To say that's MITM-prone would be an understatement. – Andrew Henle Nov 13 '22 at 20:05
  • @AndrewHenle, there's a reason I suggested a deliberate self-MITM; if instead of talking to the host you _can't_ verify you talk to a host you can (whether that's because the host is located somewhere different in terms of network topology, or is using a certificate type that complies with expectations from one software release vs another, or whatever the situation may be), and that host has network configuration / newer software / etc. that it uses to successfully verify the remote endpoint... well, that means we _do_ get a successful validation chain end-to-end. – Charles Duffy Nov 13 '22 at 20:29
  • Not saying it's ideal -- it's one more private key to protect, one more system that has to be configured to validate its peers, and an extra hop that can potentially obfuscate logging &c -- but if the OP lived in an ideal world this question would never have come up. – Charles Duffy Nov 13 '22 at 20:32

0 Answers0