feature request: be able to disable ssl verify to accept wrong certificate

[tst2005]

Hello,

I got a (temporary) issue with davmail. Microsoft have made a mistake in the https certificate for login.microsofonline.com Now Microsoft fixed their servers. Until he fixed his certificate, I dug to find a wait to bypass the hostname check to continue and avoid to be blocked.

I couldn't find any way. Is this behavior hard-coded ? It should be good to be able to disable the ssl verify (over davmail config or with environment variable).

2023-08-07 10:49:23,935 DEBUG [ImapConnection-43408] org.apache.http.conn.ssl.SSLConnectionSocketFactory  - Connecting socket to login.microsoftonline.com/40.99.213.98:443 with timeout 10000
2023-08-07 10:49:23,956 DEBUG [ImapConnection-43408] org.apache.http.conn.ssl.SSLConnectionSocketFactory  - Starting handshake
2023-08-07 10:49:24,010 DEBUG [ImapConnection-43408] org.apache.http.conn.ssl.SSLConnectionSocketFactory  - Secure session established
2023-08-07 10:49:24,010 DEBUG [ImapConnection-43408] org.apache.http.conn.ssl.SSLConnectionSocketFactory  -  negotiated protocol: TLSv1.2
2023-08-07 10:49:24,010 DEBUG [ImapConnection-43408] org.apache.http.conn.ssl.SSLConnectionSocketFactory  -  negotiated cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
2023-08-07 10:49:24,010 DEBUG [ImapConnection-43408] org.apache.http.conn.ssl.SSLConnectionSocketFactory  -  peer principal: CN=outlook.com, O=Microsoft Corporation, L=Redmond, ST=Washington
, C=US
2023-08-07 10:49:24,010 DEBUG [ImapConnection-43408] org.apache.http.conn.ssl.SSLConnectionSocketFactory  -  peer alternative names: [*.clo.footprintdns.com, *.hotmail.com, *.internal.outloo
k.com, *.live.com, *.nrb.footprintdns.com, *.office.com, *.office365.com, *.outlook.com, *.outlook.office365.com, attachment.outlook.live.net, attachment.outlook.office.net, attachment.outlo
ok.officeppe.net, attachments.office.net, attachments-sdf.office.net, ccs.login.microsoftonline.com, ccs-sdf.login.microsoftonline.com, hotmail.com, mail.services.live.com, office365.com, ou
tlook.com, outlook.office.com, substrate.office.com, substrate-sdf.office.com]
2023-08-07 10:49:24,010 DEBUG [ImapConnection-43408] org.apache.http.conn.ssl.SSLConnectionSocketFactory  -  issuer principal: CN=DigiCert Cloud Services CA-1, O=DigiCert Inc, C=US
2023-08-07 10:49:24,012 DEBUG [ImapConnection-43408] org.apache.http.conn.ssl.DefaultHostnameVerifier  - Certificate for <login.microsoftonline.com> doesn't match any of the subject alternative names: [*.clo.footprintdns.com, *.hotmail.com, *.internal.outlook.com, *.live.com, *.nrb.footprintdns.com, *.office.com, *.office365.com, *.outlook.com, *.outlook.office365.com, attachment.outlook.live.net, attachment.outlook.office.net, attachment.outlook.officeppe.net, attachments.office.net, attachments-sdf.office.net, ccs.login.microsoftonline.com, ccs-sdf.login.microsoftonline.com, hotmail.com, mail.services.live.com, office365.com, outlook.com, outlook.office.com, substrate.office.com, substrate-sdf.office.com]
javax.net.ssl.SSLPeerUnverifiedException: Certificate for <login.microsoftonline.com> doesn't match any of the subject alternative names: [*.clo.footprintdns.com, *.hotmail.com, *.internal.outlook.com, *.live.com, *.nrb.footprintdns.com, *.office.com, *.office365.com, *.outlook.com, *.outlook.office365.com, attachment.outlook.live.net, attachment.outlook.office.net, attachment.outlook.officeppe.net, attachments.office.net, attachments-sdf.office.net, ccs.login.microsoftonline.com, ccs-sdf.login.microsoftonline.com, hotmail.com, mail.services.live.com, office365.com, outlook.com, outlook.office.com, substrate.office.com, substrate-sdf.office.com]
        at org.apache.http.conn.ssl.DefaultHostnameVerifier.matchDNSName(DefaultHostnameVerifier.java:177)
        at org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:122)
        at org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:99)
        at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:503)
        at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:437)
        at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
        at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
        at org.apache.http.impl.conn.BasicHttpClientConnectionManager.connect(BasicHttpClientConnectionManager.java:313)
        at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
        at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
        at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
        at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
        at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
        at davmail.http.HttpClientAdapter.execute(HttpClientAdapter.java:421)
        at davmail.http.HttpClientAdapter.execute(HttpClientAdapter.java:405)
        at davmail.exchange.auth.O365Token.executeRequest(O365Token.java:168)
        at davmail.exchange.auth.O365Token.refreshToken(O365Token.java:161)
        at davmail.exchange.auth.O365Token.load(O365Token.java:199)
        at davmail.exchange.auth.O365InteractiveAuthenticator.authenticate(O365InteractiveAuthenticator.java:108)
        at davmail.exchange.ExchangeSessionFactory.getInstance(ExchangeSessionFactory.java:182)
        at davmail.exchange.ExchangeSessionFactory.getInstance(ExchangeSessionFactory.java:97)
        at davmail.imap.ImapConnection.run(ImapConnection.java:155)
2023-08-07 10:49:24,013 DEBUG [ImapConnection-43408] org.apache.http.impl.conn.DefaultManagedHttpClientConnection  - http-outgoing-1: Shutdown connection
2023-08-07 10:49:24,013 DEBUG [ImapConnection-43408] org.apache.http.impl.execchain.MainClientExec  - Connection discarded
2023-08-07 10:49:24,013 DEBUG [ImapConnection-43408] org.apache.http.impl.conn.BasicHttpClientConnectionManager  - Releasing connection [Not bound]
2023-08-07 10:49:24,014 WARN  [ImapConnection-43408] davmail.exchange.auth.O365Token  - refresh token failed Certificate for <login.microsoftonline.com> doesn't match any of the subject alternative names: [*.clo.footprintdns.com, *.hotmail.com, *.internal.outlook.com, *.live.com, *.nrb.footprintdns.com, *.office.com, *.office365.com, *.outlook.com, *.outlook.office365.com, attachment.outlook.live.net, attachment.outlook.office.net, attachment.outlook.officeppe.net, attachments.office.net, attachments-sdf.office.net, ccs.login.microsoftonline.com, ccs-sdf.login.microsoftonline.com, hotmail.com, mail.services.live.com, office365.com, outlook.com, outlook.office.com, substrate.office.com, substrate-sdf.office.com]
2023-08-07 10:49:24,023 WARN  [AWT-EventQueue-0] davmail.exchange.auth.O365InteractiveAuthenticatorFrame  - Unable to register protocol handler

Regards,

[esabol]

Java doesn't provide an easy way to disable SSL hostname verification with a command line switch. It would require changes to the code.

https://stackoverflow.com/questions/6031258/java-ssl-how-to-disable-hostname-verification

[mguessan]

Technical answer: would need to use AllowAllHostnameVerifier in HttpClientAdapter:

RegistryBuilder<ConnectionSocketFactory> schemeRegistry = RegistryBuilder.create();
                schemeRegistry.register("http", new PlainConnectionSocketFactory());
                schemeRegistry.register("https", new SSLConnectionSocketFactory(sslSocketFactory,
                        SUPPORTED_PROTOCOLS, null, new AllowAllHostnameVerifier()));

However we are talking about an interaction with Microsoft IdP authentication, the place where you provide username, password and MFA, so I don't think it would be a good idea to make a man in the middle attack easy natively in DavMail.