Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disabling SSL checks doesn't work #94

Open
adatta02 opened this issue May 9, 2019 · 2 comments
Open

Disabling SSL checks doesn't work #94

adatta02 opened this issue May 9, 2019 · 2 comments

Comments

@adatta02
Copy link

adatta02 commented May 9, 2019
edited
Loading

There's a bunch of StackOverflow answers and Kong/unirest-java#197 pointing out how to disable SSL certificate and hostname checks using something like:

HttpClients.custom()
                    .setSSLContext(new SSLContextBuilder().loadTrustMaterial(null, (x509Certificates, s) -> true).build())
                    .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE)
                    .build();

But it looks like that won't work for this library as implemented because at least the sync RestClient uses a connection manager and because of that the calls to setSSLContext have no effect.

It looks like what needs to change is at https://github.com/josueeduardo/rest-client/blob/master/src/main/java/io/joshworks/restclient/http/ClientBuilder.java#L55 if a custom sslContext is present the connection manager needs to be configured to use it.

Ex. I created a custom build with the following to just always disable SSL checks (long story)

final SSLContext sslContext = new SSLContextBuilder()
                                .loadTrustMaterial(null, (x509CertChain, authType) -> true)                                
                                .build();

SSLConnectionSocketFactory sslConnectionSocketFactory =
        new SSLConnectionSocketFactory(sslContext, new String[]
                {"SSLv2Hello", "SSLv3", "TLSv1","TLSv1.1", "TLSv1.2" }, null,
                NoopHostnameVerifier.INSTANCE);
PoolingHttpClientConnectionManager connectionManager = new PoolingHttpClientConnectionManager(RegistryBuilder.
        <ConnectionSocketFactory>create()
        .register("http",PlainConnectionSocketFactory.getSocketFactory())
        .register("https", sslConnectionSocketFactory).build());

So it seems like you'd definitely need a custom SSLConnectionSocketFactory if a sslContext has been set. And maybe also make it possible to disable host name verification on the configuration object?

Happy to provide a PR if you agree.
@joshgontijo
Copy link
Owner

Hi, thanks for raising the issue.
Happy to approve PR if you got time to do so. Creating a method in the configuration class to disable seems a good choice.

@adatta02
Copy link
Author

Cool should be able to get you something by end of next week.

So we're on the same page:

  • We'll want to use a custom SSLConnectionSocketFactory and PoolingHttpClientConnectionManager if sslContext has been modified
  • Support changing the host name verification strategy
  • Any desire to customize the SSl/TLS ciphers?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@adatta02 @joshgontijo