In this blog I will try to explain about:
What is host name verification ?
If you observe SSL hand shake process, during new TCP connection, server sends a trust certificate to client. This certificate will have servers public key and host name(common name (CN)) among many other properties.
In the subsequent communication between client and server in the same ssl session, the request host name should be same as host name in certificate. This check is necessary to prevent URL spoofing.
Why it is problematic ?
If host name in certificate is 'myhost', you can only access the sever with that specific name we can not even access it with local IP address.
In application that directly deal with HttpConnection host name verification can be done as below:
HostnameVerifier hv = new javax.net.ssl.HostnameVerifier() {
public boolean verify(String urlHostName,SSLSession session) {
return true;
}
Either set the default HV
javax.net.ssl.HttpsURLConnection.setDefaultHostnameVerifier(hv);
or Set hv to specific connection :
URLConnection uc = u.openConnection();
HttpsURLConnection connection = (HttpsURLConnection)uc;
connection.setHostnameVerifier(hv);
connection.connect();
When it comes to JAX-WS web service how can we disable HV ?
We don't have access to any protocol handler, and we may not know if custom connection handler are used.
Below code can used to disable host name verification: JAX-WS RI
Map
ctxt.put(com.sun.xml.ws.developer.JAXWSProperties.HOSTNAME_VERIFIER, hv);
Or
ctxt.put(weblogic.wsee.jaxws.JAXWSProperties.HOSTNAME_VERIFIER, hv);
Related Info:
* Dummy certificates can be created using 'openssl'
* http://download.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#SSLOverview
.
ReplyDelete