Re: Tomcat Secure WebSockets clients - hostname verification

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Tomcat Secure WebSockets clients - hostname verification

garysheppardjr
On Tue, Jun 12, 2018 at 12:13 Mark Thomas wrote:

>> It would be very useful to be able to configure this, so if you are
>> going to patch the code, please make this configurable by the client.
>> See HttpsURLConnection.setHostnameVerifier
>>
>> I think it's appropriate to simply match that API unless there are any
>> objections.
>
> I'll see what I can do. The major constraint is that all this has to be
> set via Tomcat specific user properties as there is no API for in the
> Java WebSocket API.

I realize I'm very late to the conversation, but did this ever get into the
Tomcat WebSocket client, i.e. the ability to set a custom HostnameVerifier?
Or did anyone come up with a nice workaround?

Thanks,
Gary
Reply | Threaded
Open this post in threaded view
|

Re: Tomcat Secure WebSockets clients - hostname verification

garysheppardjr
On Wed, Oct 9, 2019, 18:11 Gary Sheppard wrote:

> On Tue, Jun 12, 2018 at 12:13 Mark Thomas wrote:
>
> >> It would be very useful to be able to configure this, so if you are
> >> going to patch the code, please make this configurable by the client.
> >> See HttpsURLConnection.setHostnameVerifier
> >>
> >> I think it's appropriate to simply match that API unless there are any
> >> objections.
> >
> > I'll see what I can do. The major constraint is that all this has to be
> > set via Tomcat specific user properties as there is no API for in the
> > Java WebSocket API.
>
> I realize I'm very late to the conversation, but did this ever get into
> the Tomcat WebSocket client, i.e. the ability to set a custom
> HostnameVerifier? Or did anyone come up with a nice workaround?
>

Actually I may have stumbled on it just now:

https://tomcat.apache.org/tomcat-9.0-doc/web-socket-howto.html

"For secure server end points, host name verification is enabled by
default. To bypass this verification (not recommended), it is necessary to
provide a custom SSLContext via the
org.apache.tomcat.websocket.SSL_CONTEXT user
property. The custom SSLContext must be configured with a custom
TrustManager that extends javax.net.ssl.X509ExtendedTrustManager. The
desired verification (or lack of verification) can then be controlled by
appropriate implementations of the individual abstract methods."

I will try this tomorrow and see how it goes.

—Gary

>