Custom hostname verifier for HTTP client

Sanjay Prasad sanjay.prasad at kalkitech.com
Wed Jun 28 10:47:54 UTC 2023 

Hi all,

         There is a bug filed on this with some reference to mails and
stack overflow questions here
(https://bugs.openjdk.org/browse/JDK-8213309), but nothing has been done
on it yet. It looks more like the feature is treated as a testing
requirement rather than a real requirement.

         In cases where a server presents a non DNS based certificate, a
custom host name verifier is needed. This may be used for destination
device validation based on the serial number embedded in the presented
certificate or using LFDIs in the IEEE2030.5 case. As the device license
based validation is proprietary, I will point to the IEEE2030.5 public
spec overview for "device certificate" with LFDI use case.

        IEEE2030.5 spec overview can be found here
(http://sunspec.org/wp-content/uploads/2017/08/IEEE2030.5SecurityOverview-Gordon07-24-2018.pdf).
The server as well as client devices present their device certificates
during TLS handshake and the certificate LFDI (derived from SHA256 hash
of the certificate) is used to validate each other. The host name
validation mechanism of the https url connection can be overridden to do
this validation. Please note, on page 16 of the above document, the
device certificate's "subject" is blank.

       With the new virtual threads in java, url connection seems to
cause the real thread to get pinned and use of the new HTTP client is
necessary to allow maximum concurrency. This implementation cannot set
the host name verifier and so cannot validate the server LFDI.

     Please add a host name verifier as using the
jdk.internal.httpclient.disableHostnameVerification to avoid validation
is not an option and default hostname validation does not work for
IEEE2030.5.


-Regards

-SP

PLEASE CONSIDER OUR ENVIRONMENT BEFORE PRINTING THIS EMAIL.

This e-mail (including any attachments) is confidential and may be legally privileged. If you are not an intended recipient or an authorized representative of an intended recipient, you are prohibited from using, copying or distributing the information in this e-mail or its attachments. If you have received this e-mail in error, please notify the sender immediately by return e-mail and delete all copies of this message and any attachments. Thank you.

More information about the net-dev mailing list