First I was using ‘DefaultResourceRetriever’ without any configuration like this :
new DefaultResourceRetriever(1000, 1000);
and then I got the following exception
java.security.cert.CertificateException: No subject alternative DNS name matching my-jwks-url.com found.
To by pass certificate check I have configured the resource retriever like below;
TrustStrategy trustStrategy = (X509Certificate[] x509Certificates, String s) -> true;
SSLContext sslContext = SSLContexts.custom()
.loadTrustMaterial(null, trustStrategy)
.build();
SSLSocketFactory socketFactory = sslContext.getSocketFactory();
return new DefaultResourceRetriever(1000, 1000, 0, true, socketFactory);
But it doesn’t changed anything.
I could set Hostname verifier to SSLConnectionSocketFactory like this:
new SSLConnectionSocketFactory(sslContext, new NoopHostnameVerifier()) But nimbus ResourceRetriever only accept SSLSocketFactory as a parameter.
Is there any way to disable Hostname verification?
Advertisement
Answer
I resolved it by extending DefaultResourceRetriever and overriding openConnection(URL url) method.
If URL is HTTPS, it creates HttpsURLConnection. And we can set NoopHostnameVerifier to it.
Here is my solution :
public class NoopHostnameVerifyingResourceRetriever extends DefaultResourceRetriever {
public NoopHostnameVerifyingResourceRetriever(int connectTimeout, int readTimeout) {
super(connectTimeout, readTimeout);
}
@Override
protected HttpURLConnection openConnection(URL url) throws IOException {
HttpURLConnection connection = super.openConnection(url);
if (connection instanceof HttpsURLConnection) {
((HttpsURLConnection) connection).setHostnameVerifier(new NoopHostnameVerifier());
}
return connection;
}
}