Don't check the server's FQDN BUT use the trust store

[edgarogh]

I'm trying to connect to a QUIC server that doesn't have a domain name and whose IP isn't constant due to tunnelling/proxying. My server has a private key + self-signed certificate that it can safely transfer to clients using an authenticated/encrypted out-of-band protocol, so I don't have to use any CA, or trust the FQDN of the certificate. I would just add this single certificate to the trust store and be good to go.

But Kwik has no way to disable checking the FQDN of a connection URI without simultaneously disabling the trust store, so I'm stuck. I might be able to add a dummy SubjectAlternativeName= to the server's cert, give this same IP to the .uri() method of the builder and use a socket factory to create a socket with the correct IP address instead of the one in the URI, but that's really an ugly hack.

[ptrd]

Okay, i understand your scenario. What do you propose? Just have a method to disable hostname verification? Or?

[edgarogh]

Just have a method to disable hostname verification

That sounds like a perfect solution!

Or if you want a more generic solution, maybe re-expose TlsClientEngine::setHostnameVerifier to the Kwik library consumers (possibly through a new interface, if the TLS part of the library is better kept private).