TLSUtils.disableHostnameVerificationForTlsCertificates()

(yeah, I know) Sometimes "a friend" has setup an XMPP service which uses a self-signed cert. While we can get a decent amount of security by using techniques like e.g. the MemorizingTrustManager, there's still a pitfall. If the service's TLS certificates contains no or the wrong service/hostname information, Smack will throw an CertificateException. Therefore provide an API call to disable hostname verification.
2024-11-22 20:12:07 +01:00 · 2015-01-17 12:04:57 +01:00 · 2015-01-17 12:04:57 +01:00 · 9ec7d628c8
commit 9ec7d628c8
parent c36ffd18c2
1 changed files with 32 additions and 4 deletions
--- a/smack-core/src/main/java/org/jivesoftware/smack/util/TLSUtils.java
+++ b/smack-core/src/main/java/org/jivesoftware/smack/util/TLSUtils.java
@ -25,7 +25,9 @@ import java.util.Arrays;
 import java.util.HashSet;
 import java.util.Set;

+import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSession;
 import javax.net.ssl.SSLSocket;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509TrustManager;
@ -78,15 +80,17 @@ public class TLSUtils {
    }

    /**
-     * Accept all SSL/TLS certificates.
+     * Accept all TLS certificates.
     * <p>
-     * <b>Warning</b> Use with care. This method make the Connection use
-     * {@link AcceptAllTrustManager}. Only use this method if you understand the implications.
+     * <b>Warning:</b> Use with care. This method make the Connection use {@link AcceptAllTrustManager} and essentially
+     * <b>invalidates all security guarantees provided by TLS</b>. Only use this method if you understand the
+     * implications.
     * </p>
     * 
-     * @param builder
+     * @param builder a connection configuration builder.
     * @throws NoSuchAlgorithmException
     * @throws KeyManagementException
+     * @return the given builder.
     */
    public static <B extends ConnectionConfiguration.Builder<B,?>> B acceptAllCertificates(B builder) throws NoSuchAlgorithmException, KeyManagementException {
        SSLContext context = SSLContext.getInstance(TLS);
@ -95,6 +99,30 @@ public class TLSUtils {
        return builder;
    }

+    private static final HostnameVerifier DOES_NOT_VERIFY_VERIFIER = new HostnameVerifier() {
+        @Override
+        public boolean verify(String hostname, SSLSession session) {
+            // This verifier doesn't verify the hostname, it always returns true.
+            return true;
+        }
+    };
+
+    /**
+     * Disable the hostname verification of TLS certificates.
+     * <p>
+     * <b>Warning:</b> Use with care. This disables hostname verification of TLS certificates and essentially
+     * <b>invalidates all security guarantees provided by TLS</b>. Only use this method if you understand the
+     * implications.
+     * </p>
+     * 
+     * @param builder a connection configuration builder.
+     * @return the given builder.
+     */
+    public static <B extends ConnectionConfiguration.Builder<B,?>> B disableHostnameVerificationForTlsCertificicates(B builder) {
+        builder.setHostnameVerifier(DOES_NOT_VERIFY_VERIFIER);
+        return builder;
+    }
+
    public static void setEnabledProtocolsAndCiphers(final SSLSocket sslSocket,
                    String[] enabledProtocols, String[] enabledCiphers)
                    throws SecurityNotPossibleException {