On 15/04/16 09:57, Simone Bordet wrote: > Hi, > > On Thu, Apr 14, 2016 at 7:02 PM, Alaric Snell-Pym > <[email protected]> wrote: >> Hi there! >> >> I'm writing some software that needs to connect to HTTPS servers. I'm >> using Jetty HTTP client, and it works fine, except that I can't seem to >> get it to validate the server's certificate. > > Use: > > SslContextFactory.setEndpointIdentificationAlgorithm("HTTPS"); > > Test case that shows this is: > > https://github.com/eclipse/jetty.project/blob/jetty-9.3.8.v20160314/jetty-client/src/test/java/org/eclipse/jetty/client/HostnameVerificationTest.java >
Ah-hah! Fantastic, thanks! Hmmm... But that leads me to another problem. For my application, I need to disallow connections to certain IP ranges. I need to do this check with the actual IP that Jetty is about to connect to; I can't just resolve the hostname and check all its IPs are valid, then pass the URL on to Jetty, because the hostname->IP mappings could be changed at that point by a sufficiently clever attacker. My first attempt was to pass in my own HttpClientTransport to the HttpClient constructor. I subclassed the default HttpClientTransportOverHttp, overriding the connect(InetSocketAddress,Map<String,Object>) method with one that performed my IP address validation on the provided address, threw a SecurityException if it was bad, and otherwise delegated to super.connect(...). However, connect() never seemed to actually be called, so my IP address validation never happened. What I ended up doing was, before passing the URL to the HTTP client, parsing it, extracting the hostname, resolving it, validating the IP, and then sticking that back into the URL as a string; and then explicitly setting a Host: header with the original name, so the resulting HTTP request came out just the same as if I'd had the hostname in the URL. However, of course, it turns out that the HTTPS EndpointIdentificationAlgorithm looks at the URL rather than the Host: header, so it complains about every HTTPS request I make, on the grounds (quite rightly) that the certificate has no CN matching the IP address! I think I have two options: 1) Find a place where I can intercept Jetty's InetSocketAddress before it connects to it, that actually works. 2) Try and write my own EndpointIdentificationAlgorithm that is identical to the HTTPS one, except that it looks at the hostname in the Host: header (or provided by me explicitly to it, as I'll only use it for that one request), rather than from the URL. Could anybody please tell me if there's a better option, or give me some pointers towards the above? Thank you :-) ABS -- Alaric Snell-Pym http://www.snell-pym.org.uk/alaric/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
