问题描述
据我所知,没有可用于在Netty中启用SSL主机名验证的标志"或配置设置.我见过的示例使用SslHandler.handshake()返回的ChannelFuture添加自定义实现:
From what I can tell, there is no 'flag' or config setting I can use to enable SSL hostname verification in Netty. Examples I've seen add custom implementations using the ChannelFuture returned by SslHandler.handshake():
ChannelFuture handshakeFuture = sslHandler.handshake();
handshakeFuture.addListener(new ChannelFutureListener()
{
public void operationComplete(ChannelFuture future) throws Exception
{
if (future.isSuccess())
{
// get peer certs, verify CN (or SAN extension, or..?) against requested domain
...
我只是想确保自己在这里正确无误,并且我不会错过一种简单地启用"主机名验证的方法.
I just want to make sure I'm on the right track here, and that I'm not missing a way to simply "enable" hostname verification.
推荐答案
如果您使用的是Java 7,则可以通过配置SSLSocket或SSLEngine通过默认的信任管理器为您完成此操作. (这与Netty无关.)
If you're using Java 7, you can do this by configuring the SSLSocket or SSLEngine to do it for you via the default trust manager. (This is independent of Netty.)
类似的事情应该起作用:
Something like this should work:
SSLContext sslContext = SSLContext.getDefault();
SSLEngine sslEngine = sslContext.createSSLEngine();
SSLParameters sslParams = new SSLParameters();
sslParams.setEndpointIdentificationAlgorithm("HTTPS");
sslEngine.setSSLParameters(sslParams);
SSLEngine实例可以作为参数传递给SslHandler构造函数,如此示例.
The SSLEngine instance can be passed as an argument to the SslHandler constructor, as described in this example.
端点标识算法可以是HTTPS或LDAP.对于其他协议,HTTPS规则应该相当合理.
The endpoint identification algorithm can be either HTTPS or LDAP. For other protocols, the HTTPS rules should be fairly sensible.
(您当然可以通过使用错误的主机名连接到该主机,例如使用带有IP地址而不是主机名的URL来连接该主机,以确保证书不包含使用者备用名称,为其输入IP地址.)
(You can of course check that it works by connecting to that host using a wrong host name, for example using a URL with the IP address instead of the host name, assuming that the certificate doesn't contain a Subject Alternative Name IP address entry for it.)
这篇关于Netty SSL主机名验证支持的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!