search

http4s / blaze

Blazing fast NIO microframework and Http Parser
Apache License 2.0
351 stars 63 forks source link

How to enable hostNameVerifier on server side in http4s BlazeServerBuilder #774

Open tpsaitwal opened 2 years ago

tpsaitwal commented 2 years ago

In one of my project we are moving away from akka (v10.2.9) to http4s (v0.23.12). In akka we are creating http server using akka.http.scaladsl.Http object which internally creates HttpConnectionContext for server using AkkaSSLConfig which by default has hostNameVerifier enabled on server side as well, Which checks host names against CN and SAN. You can disable this hostNameVerification using this parameter

akka.ssl-config.loose.disableHostnameVerification = true

When I dug deeper into this I got to know hostNameVerification should enabled on Client side only to avoid man in the middle attack.

However, while moving from akka to http4s I still want to keep the functionality of hostNameVerification. I read the http4s documentation and I am using BlazeServerBuilder but I didn't find any provision to enable hostNameVerification on server side. How can this be achieved with http4s and scala.

rossabaker commented 1 year ago

There is a withSslContextAndParameters method that lets you specify an SSLContext and the SSLParameters to apply on any resulting engine. There's no friendly application.conf like Akka, but it should provide the full power of the JSSE API.

Maybe something like this. Untested, uncompiled, and I'm being sloppy about effect tracking, which is fine if these are local variables and you don't mind a misconfiguration crashing your program at startup. Add F.delay and flatMap to taste:

val sslContext = SSLContext.getDefault
val sslParams = new SSLParameters()
sslParams.setEndpointIdentificationAlgorithm("HTTPS")
blazeServerBuilder.withSslContextAndParams(sslContext, sslParams)
...