2

From what I can tell, there is no 'flag' or config setting I can use to enable SSL hostname verification in Netty. Examples I've seen add custom implementations using the ChannelFuture returned by SslHandler.handshake():

ChannelFuture handshakeFuture = sslHandler.handshake();
handshakeFuture.addListener(new ChannelFutureListener()
{
    public void operationComplete(ChannelFuture future) throws Exception
    {
        if (future.isSuccess())
        {
            // get peer certs, verify CN (or SAN extension, or..?) against requested domain
            ...

I just want to make sure I'm on the right track here, and that I'm not missing a way to simply "enable" hostname verification.

Hawkeye Parker
  • 7,817
  • 7
  • 44
  • 47

1 Answers1

4

If you're using Java 7, you can do this by configuring the SSLSocket or SSLEngine to do it for you via the default trust manager. (This is independent of Netty.)

Something like this should work:

SSLContext sslContext = SSLContext.getDefault();
SSLEngine sslEngine = sslContext.createSSLEngine();

SSLParameters sslParams = new SSLParameters();
sslParams.setEndpointIdentificationAlgorithm("HTTPS");
sslEngine.setSSLParameters(sslParams);

The SSLEngine instance can be passed as an argument to the SslHandler constructor, as described in this example.

The endpoint identification algorithm can be either HTTPS or LDAP. For other protocols, the HTTPS rules should be fairly sensible.

(You can of course check that it works by connecting to that host using a wrong host name, for example using a URL with the IP address instead of the host name, assuming that the certificate doesn't contain a Subject Alternative Name IP address entry for it.)

Bruno
  • 119,590
  • 31
  • 270
  • 376
  • 1
    thanks so much for the quick answer. Totally makes sense. And, in general, thanks for all of your fantastic posts here and elsewhere. Your name pops up everywhere regarding SSL...I've been relying heavily on your knowledge and help. Thank you!! – Hawkeye Parker Nov 09 '12 at 21:30
  • These algorithm names are documented here: http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#jssenames – Hawkeye Parker Nov 09 '12 at 23:12
  • @bruno can you go to chat please ?http://chat.stackoverflow.com/rooms/19372/room-for-royi-namir-and-bruno – Royi Namir Nov 10 '12 at 15:01
  • So far, I can't get this to work. When I enable the HTTPS endpoint identification algorithm, the request just times out (whether the peer cert has the correct hostname or not). I'll add more here when I know more. – Hawkeye Parker Nov 10 '12 at 22:16
  • I must admin I haven't tried with Netty. It would be interesting to know if you see something different with [`-Djavax.net.debug=all`](http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html) – Bruno Nov 10 '12 at 22:43
  • 2
    One important note: when creating the SSLEngine, you need to pass in the host and port of the target server: createSSLEngine(targetHost, targetPort). Otherwise you'll run into the issue documented here: http://stackoverflow.com/questions/13390964/java-ssl-fatal-error-80-unwrapping-net-record-after-adding-the-https-en – Hawkeye Parker Nov 15 '12 at 07:39
  • @HawkeyeParker Do you have working implementation of SSL Engine? – Peter Penzov Oct 07 '15 at 10:37
  • @PeterPenzov Sorry, I do not anymore. Haven't worked on it for a _long_ time, so I don't think I'd be any help :( – Hawkeye Parker Oct 09 '15 at 21:49
  • @Bruno , could you please let me know who or how [this class](http://docs.jboss.org/netty/3.2/xref/org/jboss/netty/example/securechat/SecureChatClientPipelineFactory.html) will be instantiated ? I created such class, but not sure how to inject this or where to inject .. Thanks – SurMan Jul 25 '17 at 07:16
  • Does Netty hostname verifier uses both targetHost and targetPort to do the verification or it just uses the targetHost parameter which is passed while creating the engine as below: createSSLEngine(targetHost, targetPort). Can someone also help me to point where the actual verification is being done ? – Sorabh Jun 07 '19 at 01:23