Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Easily buildable client `TrustManager`

See original GitHub issue

In some cases, a user has to relax the verification of server certificates, e.g.

  1. Accept a certificate regardless if it’s valid or not.
  2. Accept a certificate even if the certificate’s CN does not match the server’s host name as long as the certificate chain’s signatures are valid.
  3. Accept a certificate when its SHA-256 (or any digest algorithm) checksum matches.
  4. Accept a certificate only when its CN matches the server’s host name AND the certificate chain’s signatures are valid.

… for all servers or a certain set of servers.

For now, we do (4) by default and a user can do (1) for all or specific hosts.

We could provide a simple way to build a client-side TrustManager that allows a user to implement all 4 actions for all or a certain set of servers.

The following is a hypothetical API I designed for it:

public final class ClientTrustManagers {
  // Does (1) for all hosts.
  public static TrustManager noVerify() { ... }
  // Does (2) for all hosts.
  public static TrustManager verifySignaturesOnly() { ... }
  // Does (3) for all hosts.
  public static TrustManager verifyFingerprintOnly(String algorithm, String... fingerprints) { ... }
  // Does (4) for all hosts. (default)
  public static TrustManager verifyAll() { ... }

  public static ClientTrustManagerBuilder builder() { ... }
}

// Examples
ClientTrustManagers
  .builder()
  .noVerify("a.com") // Do (1) if a.com.
  .reject("*.b.com") // Always reject if *.b.com.
  .verifySignaturesOnly("c.com") // (2) if c.com.
  .verifyFingerprintOnly("d.com", "SHA-256", "00:00:....", "01:01:...", ...) // (3) if d.com.
  .verifyAll("e.com") // (4) if "e.com"
  .action("f.com", (chain, authType, engine) -> { ... }) // Custom action if f.com.
  //.noVerifyByDefault()
  //.rejectByDefault()
  //.verifyFingerprintByDefault("SHA-256", "00:00:...", ...)
  //.verifySignaturesOnlyByDefault()
  //.verifyAllByDefault()
  .build()

public interface ClientTrustManagerAction {
  static ClientTrustManagerAction noVerify() { ... }
  static ClientTrustManagerAction reject() { ... }
  static ClientTrustManagerAction verifySignaturesOnly() { ... }
  static ClientTrustManagerAction verifyFingerprintsOnly(String algo, String fingerprint...) { ... }
  static ClientTrustManagerAction verifyAll() { ... }
  
  void checkServerTrusted(X509Certificate[] chain,
        String authType, SSLEngine engine) throws CertificateException;
}

Once this is implemented, we could:

  • Deprecate some methods like tlsNoVerifyHosts().
  • Add ClientFactory.tlsTrustManager(TrustManager) for convenience, because otherwise a user has to do:
    clientFactory.tlsCustomizer(sslCtxBuilder -> {
  sslCtxBuilder.trustManager(...);
});

Some examples:

// Do not check endpoint identification.
ClientFactory
  .builder()
  .tlsTrustManager(ClientTrustManagers.verifySignaturesOnly())
  .build();

// Disable endpoint identification only for *.foo.com.
ClientFactory
  .builder()
  .tlsTrustManager(
    ClientTrustManagers
      .builder()
      .verifySignaturesOnly("*.foo.com")
      .build()
  )
  .build();

Issue Analytics

  • State:open
  • Created 2 years ago
  • Reactions:4
  • Comments:12 (7 by maintainers)

github_iconTop GitHub Comments

1reaction
amitvccommented, Feb 8, 2022

@trustin @ikhoon Working on this starting Feb 07.

0reactions
amitvccommented, Feb 8, 2022

Working on implementing a trie data structure in order to search ClientTrustManagerAction based on the hostname url pattern. We will support the following patterns

  • Exact match (e.g hostname -> a.com)
  • partial match (e.g hostname -> a..com or abc.) should match a.b.com or a.z.com or abc.com or abc.net
Read more comments on GitHub >

github_iconTop Results From Across the Web

X509TrustManager (Java Platform SE 7 ) - Oracle Help Center
Instance of this interface manage which X509 certificates may be used to authenticate the remote side of a secure socket. Decisions may be...
Read more >
android - Trusting all certificates with okHttp - Stack Overflow
Just in case anyone falls here, the (only) solution that worked for me is creating the OkHttpClient like explained here. Here is the...
Read more >
Apache HttpClient with SSL - Baeldung
Let's now configure the HTTP client to trust all certificate chains regardless ... and RegistryBuilder, it's easy to build SSLSocketFactory.
Read more >
Security with network protocols - Android Developers
Client apps need a mechanism to verify the server because the CA offers certificates for numerous servers. The CA's certificate identifies the server...
Read more >
HTTPS in Java with a self-signed certificate - Brice Dutheil
sslSocketFactory( sslContext(null, new TrustManager[]{trustManager}).getSocketFactory(), trustManager) .build(); try (Response r = client.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Should not swallow errors of `TransientService`

Next page

Provide a way to limit HTTP/2 initial max concurrent streams by a client