Hello Tomcat user group,
I want a Tomcat-Servlet to connect to a secure web socket endpoint to exchange
data with another component / server
(so my Tomcat-Servlet is acting as a WebSocket client).
Now I would also like to do some hostname verification (verify that the host to
which I am connecting matches
the subject alternative name from the certificate) to prevent Man-in-the-middle
attacks, see also [1].
I know that it is possible to provide an SSLContext to Tomcat through user
properties [2].
But an javax.net.ssl.SSLContext does not provide any configuration options for
hostname verifiers, see JavaDoc at [3],
e.g., something like sslParams.setEndpointIdentificationAlgorithm("HTTPS"), as
suggested by [4].
So one way to achieve this would be to patch org.apache.tomcat.websocket.
WsWebSocketContainer.java
in the method private SSLEngine createSSLEngine(Map<String,Object>
userProperties) and introduce another
user property.
But maybe there are already other solutions available to achieve Hostname
verification in Tomcat WebSocket clients.
My code looks like this:
import javax.websocket.ClientEndpointConfig;
import javax.websocket.ContainerProvider;
import javax.websocket.Session;
import javax.websocket.WebSocketContainer;
public class MyServlet extends HttpServlet
{
final String hostname = "otherpc";
@Override
protected void doGet(final HttpServletRequest request, final
HttpServletResponse response)
throws ServletException, IOException
{
System.setProperty("javax.net.ssl.trustStorePassword", "My123456");
System.setProperty("javax.net.ssl.trustStoreType", "PKCS12");
System.setProperty("javax.net.ssl.trustStore", "C:\\RootCACertificate.pfx");
final URI uri = URI.create("wss://" + hostname + ":8443/websocket");
final WebSocketContainer container =
ContainerProvider.getWebSocketContainer();
final ClientEndpointConfig config =
ClientEndpointConfig.Builder.create().build();
final Session session = container.connectToServer(MyEndpoint.class, config,
uri);
// more stuff ....
}
What are your thoughts?
Thank you very much for your time!
Harald.
[1] https://tersesystems.com/blog/2014/03/23/fixing-hostname-verification/
[2] https://www.mail-archive.com/[email protected]/msg125312.html
[3] https://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLContext.html
[4] https://stackoverflow.com/a/18174689
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
