1
0
Fork 0
mirror of https://github.com/vanitasvitae/Smack.git synced 2024-11-22 20:12:07 +01:00

TLSUtils.disableHostnameVerificationForTlsCertificates()

(yeah, I know)

Sometimes "a friend" has setup an XMPP service which uses a self-signed
cert. While we can get a decent amount of security by using techniques
like e.g. the MemorizingTrustManager, there's still a pitfall. If the
service's TLS certificates contains no or the wrong service/hostname
information, Smack will throw an CertificateException. Therefore provide
an API call to disable hostname verification.
This commit is contained in:
Florian Schmaus 2015-01-17 12:04:57 +01:00
parent c36ffd18c2
commit 9ec7d628c8

View file

@ -25,7 +25,9 @@ import java.util.Arrays;
import java.util.HashSet; import java.util.HashSet;
import java.util.Set; import java.util.Set;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext; import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket; import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager; import javax.net.ssl.X509TrustManager;
@ -78,15 +80,17 @@ public class TLSUtils {
} }
/** /**
* Accept all SSL/TLS certificates. * Accept all TLS certificates.
* <p> * <p>
* <b>Warning</b> Use with care. This method make the Connection use * <b>Warning:</b> Use with care. This method make the Connection use {@link AcceptAllTrustManager} and essentially
* {@link AcceptAllTrustManager}. Only use this method if you understand the implications. * <b>invalidates all security guarantees provided by TLS</b>. Only use this method if you understand the
* implications.
* </p> * </p>
* *
* @param builder * @param builder a connection configuration builder.
* @throws NoSuchAlgorithmException * @throws NoSuchAlgorithmException
* @throws KeyManagementException * @throws KeyManagementException
* @return the given builder.
*/ */
public static <B extends ConnectionConfiguration.Builder<B,?>> B acceptAllCertificates(B builder) throws NoSuchAlgorithmException, KeyManagementException { public static <B extends ConnectionConfiguration.Builder<B,?>> B acceptAllCertificates(B builder) throws NoSuchAlgorithmException, KeyManagementException {
SSLContext context = SSLContext.getInstance(TLS); SSLContext context = SSLContext.getInstance(TLS);
@ -95,6 +99,30 @@ public class TLSUtils {
return builder; return builder;
} }
private static final HostnameVerifier DOES_NOT_VERIFY_VERIFIER = new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
// This verifier doesn't verify the hostname, it always returns true.
return true;
}
};
/**
* Disable the hostname verification of TLS certificates.
* <p>
* <b>Warning:</b> Use with care. This disables hostname verification of TLS certificates and essentially
* <b>invalidates all security guarantees provided by TLS</b>. Only use this method if you understand the
* implications.
* </p>
*
* @param builder a connection configuration builder.
* @return the given builder.
*/
public static <B extends ConnectionConfiguration.Builder<B,?>> B disableHostnameVerificationForTlsCertificicates(B builder) {
builder.setHostnameVerifier(DOES_NOT_VERIFY_VERIFIER);
return builder;
}
public static void setEnabledProtocolsAndCiphers(final SSLSocket sslSocket, public static void setEnabledProtocolsAndCiphers(final SSLSocket sslSocket,
String[] enabledProtocols, String[] enabledCiphers) String[] enabledProtocols, String[] enabledCiphers)
throws SecurityNotPossibleException { throws SecurityNotPossibleException {