Netty SSL hostname verification support

Question

From what I can tell, there is no \'flag\' or config setting I can use to enable SSL hostname verification in Netty. Examples I\'ve seen add custom implementations using the Ch

Answer 1

If you're using Java 7, you can do this by configuring the SSLSocket or SSLEngine to do it for you via the default trust manager. (This is independent of Netty.)

Something like this should work:

SSLContext sslContext = SSLContext.getDefault();
SSLEngine sslEngine = sslContext.createSSLEngine();

SSLParameters sslParams = new SSLParameters();
sslParams.setEndpointIdentificationAlgorithm("HTTPS");
sslEngine.setSSLParameters(sslParams);

The SSLEngine instance can be passed as an argument to the SslHandler constructor, as described in this example.

The endpoint identification algorithm can be either HTTPS or LDAP. For other protocols, the HTTPS rules should be fairly sensible.

(You can of course check that it works by connecting to that host using a wrong host name, for example using a URL with the IP address instead of the host name, assuming that the certificate doesn't contain a Subject Alternative Name IP address entry for it.)