Re: Tomcat Secure WebSockets clients - hostname verification

Tue, 12 Jun 2018 09:13:58 -0700 

On 12/06/2018 16:12, Christopher Schultz wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Mark,

On 6/11/18 10:31 AM, Mark Thomas wrote:

On 11/06/18 11:47, Weiner Harald wrote:

<snip/>


What are your thoughts?


I'm leaning towards adding:

SSLParameters sslParams = new SSLParameters();
sslParams.setEndpointIdentificationAlgorithm("HTTPS");
sslSocket.setSSLParameters(sslParams);

unconditionally to WsWebSocketContainer.createSSLEngine()

I've been trying to think of a use case where you'd want to use
TLS without wanting to verify the host name and I can't think of
one.


Testing.
I'd argue that for testing to be meaningful you need to be using a real cert and an appropriate trust store. 


It would be very useful to be able to configure this, so if you are
going to patch the code, please make this configurable by the client. >
See HttpsURLConnection.setHostnameVerifier

I think it's appropriate to simply match that API unless there are any
objections.
I'll see what I can do. The major constraint is that all this has to be set via Tomcat specific user properties as there is no API for in the Java WebSocket API. 

Mark




- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsf1OMACgkQHPApP6U8
pFibhw/+ODRL4BZfk9fTWxLFSEyKEJQORJgfVveHaqzsW34BzRVEx7nVGBL+T8t1
m0E+mhQY+m+YyTKsWpAzNEd/752UMFV6jHhn8Nle6I+puLpZ8tEKj4MSd2JDDC2Y
Te4mD4QwMgkdNIU8aacXqj1hJanyB4vvfSd+PpFiW/o0kWKHirpSdra87XvLqbMM
A75lKzFdyqZWJ9JBqSoQID3vLQMyBzZ+MI8XWacuT69hMWioMpiAc2iSVw73TUXO
kt9jFlP6K17QzJ3j2kmdm1TAQDupFNNs2W5M15Eo7ahj3xa137s+lZgTjI7b8rhS
dekDyD++7biKJSCnyd8XIQ+FM6UjEwCIzGtdRRNvjw+ufk9S7IDnJhD7DAeGqNOc
bq4ezaG8iFRI7h3lkJx+AeF23KaW36VEK8bbNK5phjyIfZ0crF43Xv8nTOyf1S0E
Pqj38sr9baa0JcRnYvGLS9ZDtYpDFQaQuti7p8IJs/DJ6yr+d7KvO/ZBawU6K8e0
EttmjavdB0RfooI61LBj0bazHANvhISY5xzmJIqDIYAtwlYf1Ww9X0CrpWmrPd1y
RE/M2RpXj6lcVCPqXzqSXVE/DfJXlmj5iqB4lGJBS0TrcWFvKHH5kp0reUlZNtRG
l+FshDzZylsz5tqN3DtyNjQoQN9rW181O7+j2f5exa9IS9fUgek=
=GeP9
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to