Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Why do we use one disableHttpsEndpointIdentificationAlgorithm option to affect the behavior of SNI and hostname verification? #1959

Open
seaswalker opened this issue May 9, 2024 · 3 comments

Comments

@seaswalker
Copy link
Contributor

In real-life scenarios, we need to configure one of the options individually, rather than having to turn them on or off simultaneously, thanks.

@kertzi
Copy link

kertzi commented May 16, 2024

Hello,
I think I have related case so commenting this issue.
My case is that I'm migrating from old 1.8.16 to 2.12.3 and in our old code we skipped hostname verification because it doesn't matter in our case but it create instead problems, so we have (snip from old impl):

        this.asyncHttpClient = new AsyncHttpClient(
            new AsyncHttpClientConfig.Builder()

                .setSSLContext(sslContext)

                .setHostnameVerifier(new HostnameVerifier() {

                    override verify(String hostname, SSLSession session) { log.debug("override hostname verification") ; true }
                } )

               .build()
);

How I can disable hostname verification in new version?

Thank you

@seaswalker
Copy link
Contributor Author

/**
  * Skip {@link javax.net.ssl.HostnameVerifier}.
  *
  * @see <a href="https://netty.io/4.1/api/io/netty/handler/ssl/SslContext.html">newHandler</a>
  * @see <a href="https://github.com/AsyncHttpClient/async-http-client/issues/1611">How to disable hostname verification in AsyncHttpClient</a>
*/
private static class SkipHostnameVerificationSslEngineFactory extends DefaultSslEngineFactory {

	@Override
	protected void configureSslEngine(SSLEngine sslEngine, AsyncHttpClientConfig config) {
		sslEngine.setUseClientMode(true);
	}

}

and then:

DefaultAsyncHttpClientConfig.Builder cfgBuilder = new DefaultAsyncHttpClientConfig.Builder();
cfgBuilder.setSslEngineFactory(new SkipHostnameVerificationSslEngineFactory());

You can refer to org.asynchttpclient.netty.ssl.SslEngineFactoryBase#configureSslEngine and Netty's doc: https://netty.io/4.1/api/io/netty/handler/ssl/SslContext.html,
image
to find out why above code will work.

@kertzi
Copy link

kertzi commented May 16, 2024

/**
  * Skip {@link javax.net.ssl.HostnameVerifier}.
  *
  * @see <a href="https://netty.io/4.1/api/io/netty/handler/ssl/SslContext.html">newHandler</a>
  * @see <a href="https://github.com/AsyncHttpClient/async-http-client/issues/1611">How to disable hostname verification in AsyncHttpClient</a>
*/
private static class SkipHostnameVerificationSslEngineFactory extends DefaultSslEngineFactory {

	@Override
	protected void configureSslEngine(SSLEngine sslEngine, AsyncHttpClientConfig config) {
		sslEngine.setUseClientMode(true);
	}

}

and then:

DefaultAsyncHttpClientConfig.Builder cfgBuilder = new DefaultAsyncHttpClientConfig.Builder();
cfgBuilder.setSslEngineFactory(new SkipHostnameVerificationSslEngineFactory());

You can refer to org.asynchttpclient.netty.ssl.SslEngineFactoryBase#configureSslEngine and Netty's doc: https://netty.io/4.1/api/io/netty/handler/ssl/SslContext.html, image to find out why above code will work.

Thank you !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants