mirror of
https://codeberg.org/Mercury-IM/Smack
synced 2024-11-25 15:52:06 +01:00
TLSUtils.disableHostnameVerificationForTlsCertificates()
(yeah, I know) Sometimes "a friend" has setup an XMPP service which uses a self-signed cert. While we can get a decent amount of security by using techniques like e.g. the MemorizingTrustManager, there's still a pitfall. If the service's TLS certificates contains no or the wrong service/hostname information, Smack will throw an CertificateException. Therefore provide an API call to disable hostname verification.
This commit is contained in:
parent
c36ffd18c2
commit
9ec7d628c8
1 changed files with 32 additions and 4 deletions
|
@ -25,7 +25,9 @@ import java.util.Arrays;
|
|||
import java.util.HashSet;
|
||||
import java.util.Set;
|
||||
|
||||
import javax.net.ssl.HostnameVerifier;
|
||||
import javax.net.ssl.SSLContext;
|
||||
import javax.net.ssl.SSLSession;
|
||||
import javax.net.ssl.SSLSocket;
|
||||
import javax.net.ssl.TrustManager;
|
||||
import javax.net.ssl.X509TrustManager;
|
||||
|
@ -78,15 +80,17 @@ public class TLSUtils {
|
|||
}
|
||||
|
||||
/**
|
||||
* Accept all SSL/TLS certificates.
|
||||
* Accept all TLS certificates.
|
||||
* <p>
|
||||
* <b>Warning</b> Use with care. This method make the Connection use
|
||||
* {@link AcceptAllTrustManager}. Only use this method if you understand the implications.
|
||||
* <b>Warning:</b> Use with care. This method make the Connection use {@link AcceptAllTrustManager} and essentially
|
||||
* <b>invalidates all security guarantees provided by TLS</b>. Only use this method if you understand the
|
||||
* implications.
|
||||
* </p>
|
||||
*
|
||||
* @param builder
|
||||
* @param builder a connection configuration builder.
|
||||
* @throws NoSuchAlgorithmException
|
||||
* @throws KeyManagementException
|
||||
* @return the given builder.
|
||||
*/
|
||||
public static <B extends ConnectionConfiguration.Builder<B,?>> B acceptAllCertificates(B builder) throws NoSuchAlgorithmException, KeyManagementException {
|
||||
SSLContext context = SSLContext.getInstance(TLS);
|
||||
|
@ -95,6 +99,30 @@ public class TLSUtils {
|
|||
return builder;
|
||||
}
|
||||
|
||||
private static final HostnameVerifier DOES_NOT_VERIFY_VERIFIER = new HostnameVerifier() {
|
||||
@Override
|
||||
public boolean verify(String hostname, SSLSession session) {
|
||||
// This verifier doesn't verify the hostname, it always returns true.
|
||||
return true;
|
||||
}
|
||||
};
|
||||
|
||||
/**
|
||||
* Disable the hostname verification of TLS certificates.
|
||||
* <p>
|
||||
* <b>Warning:</b> Use with care. This disables hostname verification of TLS certificates and essentially
|
||||
* <b>invalidates all security guarantees provided by TLS</b>. Only use this method if you understand the
|
||||
* implications.
|
||||
* </p>
|
||||
*
|
||||
* @param builder a connection configuration builder.
|
||||
* @return the given builder.
|
||||
*/
|
||||
public static <B extends ConnectionConfiguration.Builder<B,?>> B disableHostnameVerificationForTlsCertificicates(B builder) {
|
||||
builder.setHostnameVerifier(DOES_NOT_VERIFY_VERIFIER);
|
||||
return builder;
|
||||
}
|
||||
|
||||
public static void setEnabledProtocolsAndCiphers(final SSLSocket sslSocket,
|
||||
String[] enabledProtocols, String[] enabledCiphers)
|
||||
throws SecurityNotPossibleException {
|
||||
|
|
Loading…
Reference in a new issue