Open edgarogh opened 1 month ago
Okay, i understand your scenario. What do you propose? Just have a method to disable hostname verification? Or?
Just have a method to disable hostname verification
That sounds like a perfect solution!
Or if you want a more generic solution, maybe re-expose TlsClientEngine::setHostnameVerifier
to the Kwik library consumers (possibly through a new interface, if the TLS part of the library is better kept private).
I'm trying to connect to a QUIC server that doesn't have a domain name and whose IP isn't constant due to tunnelling/proxying. My server has a private key + self-signed certificate that it can safely transfer to clients using an authenticated/encrypted out-of-band protocol, so I don't have to use any CA, or trust the FQDN of the certificate. I would just add this single certificate to the trust store and be good to go.
But Kwik has no way to disable checking the FQDN of a connection URI without simultaneously disabling the trust store, so I'm stuck. I might be able to add a dummy SubjectAlternativeName= to the server's cert, give this same IP to the
.uri()
method of the builder and use a socket factory to create a socket with the correct IP address instead of the one in the URI, but that's really an ugly hack.