On Wed, Oct 9, 2019, 18:11 Gary Sheppard wrote:

> On Tue, Jun 12, 2018 at 12:13 Mark Thomas wrote:
> >> It would be very useful to be able to configure this, so if you are
> >> going to patch the code, please make this configurable by the client.
> >> See HttpsURLConnection.setHostnameVerifier
> >>
> >> I think it's appropriate to simply match that API unless there are any
> >> objections.
> >
> > I'll see what I can do. The major constraint is that all this has to be
> > set via Tomcat specific user properties as there is no API for in the
> > Java WebSocket API.
> I realize I'm very late to the conversation, but did this ever get into
> the Tomcat WebSocket client, i.e. the ability to set a custom
> HostnameVerifier? Or did anyone come up with a nice workaround?

Actually I may have stumbled on it just now:


"For secure server end points, host name verification is enabled by
default. To bypass this verification (not recommended), it is necessary to
provide a custom SSLContext via the
org.apache.tomcat.websocket.SSL_CONTEXT user
property. The custom SSLContext must be configured with a custom
TrustManager that extends javax.net.ssl.X509ExtendedTrustManager. The
desired verification (or lack of verification) can then be controlled by
appropriate implementations of the individual abstract methods."

I will try this tomorrow and see how it goes.



Reply via email to