英文:
What is the equivalent of .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE) in Netty world?
问题
关于Netty和io.netty.handler.ssl.SslContext的一个小问题
在Tomcat和org.apache.http.ssl.SSLContexts中,我们有可能执行以下操作:
HttpClient httpClient = HttpClients.custom()
.setSSLContext(SSLContexts.custom()
.loadKeyMaterial(*一些正确初始化的密钥库属性*)
.loadTrustMaterial(*一些正确初始化的信任库属性*)
.build())
**.setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE)**
.build();
(如果可以的话,希望保留字体,不要将其包装在代码块中)
这可以修复诸如“Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching xxx found”之类的问题
(这个问题不是关于是否NoopHostnameVerifier.INSTANCE是修复此问题的适当方法。)
我的问题是,在Netty中,如何相当于.setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE),不使用.trustManager(InsecureTrustManagerFactory.INSTANCE),因为我有一个真实的信任库,我只想跳过主机名,而不是跳过所有内容
也许可以使用reactor.netty.http.client.HttpClient; HttpClient.create()来实现一些功能吗?
英文:
A small question regarding Netty and io.netty.handler.ssl.SslContext
In Tomcat and org.apache.http.ssl.SSLContexts, we have the possibility to perform the following:
HttpClient httpClient = HttpClients.custom()
.setSSLContext(SSLContexts.custom()
.loadKeyMaterial(someKeystorePropertlyInitialized)
.loadTrustMaterial(someTruststorePropertlyInitialized)
.build())
.setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE)
.build();
(Appreciate if we can leave the fonts and not wrap inside a code block)
This can for instance fix issues such as Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching xxx found
(This question is not about if NoopHostnameVerifier.INSTANCE is the proper way to fix this.)
My question is, what is the equivalent in Netty of .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE), without .trustManager(InsecureTrustManagerFactory.INSTANCE), because I have a real trust store, I just want to skip the host name, not everything
Maybe something with reactor.netty.http.client.HttpClient; HttpClient.create() ?
答案1
得分: 0
实际上,默认情况下,Netty在主机名验证方面是关闭的 -- 参见此问题。看起来你正在使用的库(reactor-netty)可能已经开启了它。在reactor-netty的GitHub上有一个类似的问题,指向了解决方案,但是提供的代码片段似乎做了比必要的更多事情。基本上,你只需要从SslHandler中获取SSLEngine,并确保端点识别算法为空/为null:
HttpClient.create().secure(
ssl -> ssl.sslContext(sslContext)
.handlerConfigurator(handler -> {
SSLEngine engine = handler.engine();
SSLParameters params = new SSLParameters();
// ... 设置其他 SSL 参数
params.setEndpointIdentificationAlgorithm(null);
})
);
英文:
Actually, Netty has hostname verification turned off by default -- see this issue. It looks like the library you're using (reactor-netty) might have it turned on. There appears to be a similar issue on reactor-netty's github which points to the solution, but the code snippet provided seems to do more than what's necessary. Essentially, all you need is to access the SSLEngine from the SslHandler and make sure the endpoint identification algorithm is empty/null:
HttpClient.create().secure(
ssl -> ssl.sslContext(sslContext)
.handlerConfigurator(handler-> {
SSLEngine engine = handler.engine();
SSLParameters params = new SSLParameters();
// ... set other SSL params
params.setEndpointIdentificationAlgorithm(null);
})
);
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论