From what I can tell, there is no 'flag' or config setting I can use to enable SSL hostname verification in Netty. Examples I've seen add custom implementations using the ChannelFuture returned by SslHandler.handshake():
ChannelFuture handshakeFuture = sslHandler.handshake();
handshakeFuture.addListener(new ChannelFutureListener()
{
public void operationComplete(ChannelFuture future) throws Exception
{
if (future.isSuccess())
{
// get peer certs, verify CN (or SAN extension, or..?) against requested domain
...
I just want to make sure I'm on the right track here, and that I'm not missing a way to simply "enable" hostname verification.
If you're using Java 7, you can do this by configuring the SSLSocket or SSLEngine to do it for you via the default trust manager. (This is independent of Netty.)
Something like this should work:
SSLContext sslContext = SSLContext.getDefault();
SSLEngine sslEngine = sslContext.createSSLEngine();
SSLParameters sslParams = new SSLParameters();
sslParams.setEndpointIdentificationAlgorithm("HTTPS");
sslEngine.setSSLParameters(sslParams);
The SSLEngine instance can be passed as an argument to the SslHandler constructor, as described in this example.
The endpoint identification algorithm can be either HTTPS or LDAP. For other protocols, the HTTPS rules should be fairly sensible.
(You can of course check that it works by connecting to that host using a wrong host name, for example using a URL with the IP address instead of the host name, assuming that the certificate doesn't contain a Subject Alternative Name IP address entry for it.)
来源:https://stackoverflow.com/questions/13315623/netty-ssl-hostname-verification-support