On Wed, Oct 9, 2019, 18:11 Gary Sheppard wrote: > On Tue, Jun 12, 2018 at 12:13 Mark Thomas wrote: > > >> It would be very useful to be able to configure this, so if you are > >> going to patch the code, please make this configurable by the client. > >> See HttpsURLConnection.setHostnameVerifier > >> > >> I think it's appropriate to simply match that API unless there are any > >> objections. > > > > I'll see what I can do. The major constraint is that all this has to be > > set via Tomcat specific user properties as there is no API for in the > > Java WebSocket API. > > I realize I'm very late to the conversation, but did this ever get into > the Tomcat WebSocket client, i.e. the ability to set a custom > HostnameVerifier? Or did anyone come up with a nice workaround? >
Actually I may have stumbled on it just now: https://tomcat.apache.org/tomcat-9.0-doc/web-socket-howto.html "For secure server end points, host name verification is enabled by default. To bypass this verification (not recommended), it is necessary to provide a custom SSLContext via the org.apache.tomcat.websocket.SSL_CONTEXT user property. The custom SSLContext must be configured with a custom TrustManager that extends javax.net.ssl.X509ExtendedTrustManager. The desired verification (or lack of verification) can then be controlled by appropriate implementations of the individual abstract methods." I will try this tomorrow and see how it goes. —Gary >
