Why do we use one disableHttpsEndpointIdentificationAlgorithm option to affect the behavior of SNI and hostname verification?

Question

Why do we use one disableHttpsEndpointIdentificationAlgorithm option to affect the behavior of SNI and hostname verification?

seaswalker opened this issue 2 years ago · 3 comments

In real-life scenarios, we need to configure one of the options individually, rather than having to turn them on or off simultaneously, thanks.

Answer 1 · 2024-05-16T08:42:49.000Z

Hello,
I think I have related case so commenting this issue.
My case is that I'm migrating from old 1.8.16 to 2.12.3 and in our old code we skipped hostname verification because it doesn't matter in our case but it create instead problems, so we have (snip from old impl):

        this.asyncHttpClient = new AsyncHttpClient(
            new AsyncHttpClientConfig.Builder()

                .setSSLContext(sslContext)

                .setHostnameVerifier(new HostnameVerifier() {

                    override verify(String hostname, SSLSession session) { log.debug("override hostname verification") ; true }
                } )

               .build()
);

How I can disable hostname verification in new version?

Thank you

Answer 2 · 2024-05-16T09:04:40.000Z

/**
  * Skip {@link javax.net.ssl.HostnameVerifier}.
  *
  * @see <a href="https://netty.io/4.1/api/io/netty/handler/ssl/SslContext.html">newHandler</a>
  * @see <a href="https://github.com/AsyncHttpClient/async-http-client/issues/1611">How to disable hostname verification in AsyncHttpClient</a>
*/
private static class SkipHostnameVerificationSslEngineFactory extends DefaultSslEngineFactory {

	@Override
	protected void configureSslEngine(SSLEngine sslEngine, AsyncHttpClientConfig config) {
		sslEngine.setUseClientMode(true);
	}

}

and then:

DefaultAsyncHttpClientConfig.Builder cfgBuilder = new DefaultAsyncHttpClientConfig.Builder();
cfgBuilder.setSslEngineFactory(new SkipHostnameVerificationSslEngineFactory());

You can refer to org.asynchttpclient.netty.ssl.SslEngineFactoryBase#configureSslEngine and Netty's doc: https://netty.io/4.1/api/io/netty/handler/ssl/SslContext.html,

to find out why above code will work.

Answer 3 · 2024-05-16T10:08:30.000Z

/**
  * Skip {@link javax.net.ssl.HostnameVerifier}.
  *
  * @see <a href="https://netty.io/4.1/api/io/netty/handler/ssl/SslContext.html">newHandler</a>
  * @see <a href="https://github.com/AsyncHttpClient/async-http-client/issues/1611">How to disable hostname verification in AsyncHttpClient</a>
*/
private static class SkipHostnameVerificationSslEngineFactory extends DefaultSslEngineFactory {

	@Override
	protected void configureSslEngine(SSLEngine sslEngine, AsyncHttpClientConfig config) {
		sslEngine.setUseClientMode(true);
	}

}

and then:

DefaultAsyncHttpClientConfig.Builder cfgBuilder = new DefaultAsyncHttpClientConfig.Builder();
cfgBuilder.setSslEngineFactory(new SkipHostnameVerificationSslEngineFactory());

You can refer to org.asynchttpclient.netty.ssl.SslEngineFactoryBase#configureSslEngine and Netty's doc: https://netty.io/4.1/api/io/netty/handler/ssl/SslContext.html, to find out why above code will work.

Thank you !