Add method to disable host verification for channels build with VertxChannelBuilder #38
Comments
|
@dsimansk for JDK11 trust all would you mind to provide a reproducer for vertx-core ? |
|
@vietj I've tried and failed to make it work in the unit test of vertx-core. Therefore I've used and example https and modified it to capture the behaviour eventually. Let me know if anything further details are needed or even a vertx-core issue. The differentiating factor seems to be usage of
For the sake of testing I've create mapping package io.vertx.example.core.http.https;
import io.vertx.core.AbstractVerticle;
import io.vertx.core.http.HttpClientOptions;
import io.vertx.core.http.HttpServer;
import io.vertx.core.http.HttpServerOptions;
import io.vertx.core.net.JksOptions;
import io.vertx.example.util.Runner;
public class Reproducer extends AbstractVerticle {
public static void main(String[] args) {
Runner.runExample(Reproducer.class);
}
@Override
public void start() throws Exception {
HttpServer server =
vertx.createHttpServer(new HttpServerOptions().setSsl(true).setKeyStoreOptions(
new JksOptions().setPath("server-keystore.jks").setPassword("wibble")
));
server.requestHandler(req -> {
req.response().putHeader("content-type", "text/html").end("<html><body><h1>Hello from vert.x!</h1></body></html>");
}).listen(4443);
vertx
.createHttpClient(new HttpClientOptions().setSsl(true).setTrustAll(true).setUseAlpn(true))
.getNow(4443, "vertx-localhost", "/", resp -> {
System.out.println("Got response with ALPN enabled " + resp.statusCode());
resp.bodyHandler(body -> System.out.println("Got data " + body.toString("ISO-8859-1")));
});
vertx
.createHttpClient(new HttpClientOptions().setSsl(true).setTrustAll(true).setUseAlpn(false))
.getNow(4443, "vertx-localhost", "/", resp -> {
System.out.println("Got response with ALPN disabled" + resp.statusCode());
resp.bodyHandler(body -> System.out.println("Got data " + body.toString("ISO-8859-1")));
});
}
}OracleJDK 8 output ➜ https git:(master) ✗ java -version
java version "1.8.0_201"
Java(TM) SE Runtime Environment (build 1.8.0_201-b09)
Java HotSpot(TM) 64-Bit Server VM (build 25.201-b09, mixed mode)
➜ https git:(master) ✗ vertx run Reproducer.java
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
warning: Implicitly compiled files were not subject to annotation processing.
Use -proc:none to disable annotation processing or -implicit to specify a policy for implicit compilation.
Note: /Users/dsimansk/vert-x3/vertx-examples/core-examples/src/main/java/io/vertx/example/core/http/https/Reproducer.java uses or overrides a deprecated API.
Note: Recompile with -Xlint:deprecation for details.
Succeeded in deploying verticle
javax.net.ssl.SSLHandshakeException: Failed to create SSL connection
Got response with ALPN enabled 200
Got data <html><body><h1>Hello from vert.x!</h1></body></html>
^C%OpenJDK 11 ➜ https git:(master) ✗ java -version
openjdk version "11.0.2" 2019-01-15
OpenJDK Runtime Environment 18.9 (build 11.0.2+9)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.2+9, mixed mode)
➜ https git:(master) ✗ vertx run Reproducer.java
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.codehaus.groovy.vmplugin.v7.Java7$1 (file:/usr/local/Cellar/vert.x/3.6.3/libexec/lib/groovy-2.5.4.jar) to constructor java.lang.invoke.MethodHandles$Lookup(java.lang.Class,int)
WARNING: Please consider reporting this to the maintainers of org.codehaus.groovy.vmplugin.v7.Java7$1
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
warning: Implicitly compiled files were not subject to annotation processing.
Use -proc:none to disable annotation processing or -implicit to specify a policy for implicit compilation.
Note: /Users/dsimansk/vert-x3/vertx-examples/core-examples/src/main/java/io/vertx/example/core/http/https/Reproducer.java uses or overrides a deprecated API.
Note: Recompile with -Xlint:deprecation for details.
Succeeded in deploying verticle
javax.net.ssl.SSLHandshakeException: Failed to create SSL connection
javax.net.ssl.SSLHandshakeException: Failed to create SSL connection |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
I'd like to prose the following enhancement to
VertxChannelBuilder.When creating new channel the
HttpClientOptionsaren't exposed or editabled and takeover the defaults. I'd like to add either convenient method to disable hostname verification or exposeHttpClientOptionsobject to pass the parameter.It seems that since JDK 11 the hostname verification procedure has changed. Even for cases when
trustAll(true)is used, the hostname verification is still applied and invalid hostnames e.g.localhostcertificates may fail when accessed from outside. The same use case works fine on JDK 8 with dummy localhost certificatesCc @spisiakm
The text was updated successfully, but these errors were encountered: