From 9ec7d628c85a95b65df19874e0b588b30f9de1e8 Mon Sep 17 00:00:00 2001
From: Florian Schmaus <flo@geekplace.eu>
Date: Sat, 17 Jan 2015 12:04:57 +0100
Subject: [PATCH] TLSUtils.disableHostnameVerificationForTlsCertificates()

(yeah, I know)

Sometimes "a friend" has setup an XMPP service which uses a self-signed
cert. While we can get a decent amount of security by using techniques
like e.g. the MemorizingTrustManager, there's still a pitfall. If the
service's TLS certificates contains no or the wrong service/hostname
information, Smack will throw an CertificateException. Therefore provide
an API call to disable hostname verification.
---
 .../org/jivesoftware/smack/util/TLSUtils.java | 36 ++++++++++++++++---
 1 file changed, 32 insertions(+), 4 deletions(-)

diff --git a/smack-core/src/main/java/org/jivesoftware/smack/util/TLSUtils.java b/smack-core/src/main/java/org/jivesoftware/smack/util/TLSUtils.java
index e85de4973..822543d1d 100644
--- a/smack-core/src/main/java/org/jivesoftware/smack/util/TLSUtils.java
+++ b/smack-core/src/main/java/org/jivesoftware/smack/util/TLSUtils.java
@@ -25,7 +25,9 @@ import java.util.Arrays;
 import java.util.HashSet;
 import java.util.Set;
 
+import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSession;
 import javax.net.ssl.SSLSocket;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509TrustManager;
@@ -78,15 +80,17 @@ public class TLSUtils {
     }
 
     /**
-     * Accept all SSL/TLS certificates.
+     * Accept all TLS certificates.
      * <p>
-     * <b>Warning</b> Use with care. This method make the Connection use
-     * {@link AcceptAllTrustManager}. Only use this method if you understand the implications.
+     * <b>Warning:</b> Use with care. This method make the Connection use {@link AcceptAllTrustManager} and essentially
+     * <b>invalidates all security guarantees provided by TLS</b>. Only use this method if you understand the
+     * implications.
      * </p>
      * 
-     * @param builder
+     * @param builder a connection configuration builder.
      * @throws NoSuchAlgorithmException
      * @throws KeyManagementException
+     * @return the given builder.
      */
     public static <B extends ConnectionConfiguration.Builder<B,?>> B acceptAllCertificates(B builder) throws NoSuchAlgorithmException, KeyManagementException {
         SSLContext context = SSLContext.getInstance(TLS);
@@ -95,6 +99,30 @@ public class TLSUtils {
         return builder;
     }
 
+    private static final HostnameVerifier DOES_NOT_VERIFY_VERIFIER = new HostnameVerifier() {
+        @Override
+        public boolean verify(String hostname, SSLSession session) {
+            // This verifier doesn't verify the hostname, it always returns true.
+            return true;
+        }
+    };
+
+    /**
+     * Disable the hostname verification of TLS certificates.
+     * <p>
+     * <b>Warning:</b> Use with care. This disables hostname verification of TLS certificates and essentially
+     * <b>invalidates all security guarantees provided by TLS</b>. Only use this method if you understand the
+     * implications.
+     * </p>
+     * 
+     * @param builder a connection configuration builder.
+     * @return the given builder.
+     */
+    public static <B extends ConnectionConfiguration.Builder<B,?>> B disableHostnameVerificationForTlsCertificicates(B builder) {
+        builder.setHostnameVerifier(DOES_NOT_VERIFY_VERIFIER);
+        return builder;
+    }
+
     public static void setEnabledProtocolsAndCiphers(final SSLSocket sslSocket,
                     String[] enabledProtocols, String[] enabledCiphers)
                     throws SecurityNotPossibleException {