What is the equivalent of .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE) in Netty world?

Question

A small question regarding Netty and io.netty.handler.ssl.SslContext

In Tomcat and org.apache.http.ssl.SSLContexts, we have the possibility to perform the following:

HttpClient httpClient = HttpClients.custom() .setSSLContext(SSLContexts.custom() .loadKeyMaterial(someKeystorePropertlyInitialized) .loadTrustMaterial(someTruststorePropertlyInitialized) .build()) .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE) .build();

(Appreciate if we can leave the fonts and not wrap inside a code block)

This can for instance fix issues such as Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching xxx found (This question is not about if NoopHostnameVerifier.INSTANCE is the proper way to fix this.)

My question is, what is the equivalent in Netty of .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE), without .trustManager(InsecureTrustManagerFactory.INSTANCE), because I have a real trust store, I just want to skip the host name, not everything

Maybe something with reactor.netty.http.client.HttpClient; HttpClient.create() ?

Answer 1

Actually, Netty has hostname verification turned off by default -- see this issue. It looks like the library you're using (reactor-netty) might have it turned on. There appears to be a similar issue on reactor-netty's github which points to the solution, but the code snippet provided seems to do more than what's necessary. Essentially, all you need is to access the SSLEngine from the SslHandler and make sure the endpoint identification algorithm is empty/null:

HttpClient.create().secure(
        ssl -> ssl.sslContext(sslContext)
              .handlerConfigurator(handler-> {
                  SSLEngine engine = handler.engine();
                  SSLParameters params = new SSLParameters();
                  // ... set other SSL params
                  params.setEndpointIdentificationAlgorithm(null);
              })
);