Why do we use one disableHttpsEndpointIdentificationAlgorithm option to affect the behavior of SNI and hostname verification?

AsyncHttpClient / async-http-client

Asynchronous Http and WebSocket Client library for Java

Other

6.27k stars 1.59k forks source link

Why do we use one disableHttpsEndpointIdentificationAlgorithm option to affect the behavior of SNI and hostname verification? #1959

Open seaswalker opened 4 months ago

seaswalker commented 4 months ago

In real-life scenarios, we need to configure one of the options individually, rather than having to turn them on or off simultaneously, thanks.

kertzi commented 4 months ago

Hello, I think I have related case so commenting this issue. My case is that I'm migrating from old 1.8.16 to 2.12.3 and in our old code we skipped hostname verification because it doesn't matter in our case but it create instead problems, so we have (snip from old impl):

        this.asyncHttpClient = new AsyncHttpClient(
            new AsyncHttpClientConfig.Builder()

                .setSSLContext(sslContext)

                .setHostnameVerifier(new HostnameVerifier() {

                    override verify(String hostname, SSLSession session) { log.debug("override hostname verification") ; true }
                } )

               .build()
);

How I can disable hostname verification in new version?

Thank you

seaswalker commented 4 months ago

/**
  * Skip {@link javax.net.ssl.HostnameVerifier}.
  *
  * @see <a href="https://netty.io/4.1/api/io/netty/handler/ssl/SslContext.html">newHandler</a>
  * @see <a href="https://github.com/AsyncHttpClient/async-http-client/issues/1611">How to disable hostname verification in AsyncHttpClient</a>
*/
private static class SkipHostnameVerificationSslEngineFactory extends DefaultSslEngineFactory {

    @Override
    protected void configureSslEngine(SSLEngine sslEngine, AsyncHttpClientConfig config) {
        sslEngine.setUseClientMode(true);
    }

}

and then:

DefaultAsyncHttpClientConfig.Builder cfgBuilder = new DefaultAsyncHttpClientConfig.Builder();
cfgBuilder.setSslEngineFactory(new SkipHostnameVerificationSslEngineFactory());

You can refer to org.asynchttpclient.netty.ssl.SslEngineFactoryBase#configureSslEngine and Netty's doc: https://netty.io/4.1/api/io/netty/handler/ssl/SslContext.html,

to find out why above code will work.

kertzi commented 4 months ago

/**
  * Skip {@link javax.net.ssl.HostnameVerifier}.
  *
  * @see <a href="https://netty.io/4.1/api/io/netty/handler/ssl/SslContext.html">newHandler</a>
  * @see <a href="https://github.com/AsyncHttpClient/async-http-client/issues/1611">How to disable hostname verification in AsyncHttpClient</a>
*/
private static class SkipHostnameVerificationSslEngineFactory extends DefaultSslEngineFactory {

  @Override
  protected void configureSslEngine(SSLEngine sslEngine, AsyncHttpClientConfig config) {
      sslEngine.setUseClientMode(true);
  }

}

and then:

DefaultAsyncHttpClientConfig.Builder cfgBuilder = new DefaultAsyncHttpClientConfig.Builder();
cfgBuilder.setSslEngineFactory(new SkipHostnameVerificationSslEngineFactory());

You can refer to org.asynchttpclient.netty.ssl.SslEngineFactoryBase#configureSslEngine and Netty's doc: https://netty.io/4.1/api/io/netty/handler/ssl/SslContext.html, to find out why above code will work.

Thank you !