spring-cloud/spring-cloud-netflix

Eureka Client over SSL with NoopHostnameVerifier

Open

#3,611 opened on Jul 29, 2019

View on GitHub
 (8 comments) (0 reactions) (0 assignees)Java (2,433 forks)batch import
enhancementhelp wanted

Repository metrics

Stars
 (4,805 stars)
PR merge metrics
 (Avg merge 2d 6h) (5 merged PRs in 30d)

Description

Hi folks,

I'm trying to overwrite default SSL configuration for Eureka Client using NoopHostnameVerifier but for some reason still trying to verify the hostname, anyone could help me on that please?

Followed code example from https://github.com/spring-cloud/spring-cloud-netflix/issues/1711#issuecomment-282340580

@Profile("prod")
@Configuration
class SslNoopHostnameVerifierConfiguration {

    @Value("${service.security.trustStorePath:/etc/ssl/truststore.jks}")
    private String trustStorePath;

    @Value("${service.security.trustStorePassword:changeit}")
    private String trustStorePassword;

    @Value("${service.security.trustStoreType:JKS}")
    private String trustStoreType;

    @Value("${server.port:8443}")
    private Integer serverPort;

    @Autowired
    EurekaClientConfig config;

    @Bean
    public DiscoveryClient.DiscoveryClientOptionalArgs getTrustStoredEurekaClient()
        throws Exception {
        final KeyStore trustStore = KeyStore.getInstance(trustStoreType);
        trustStore.load(new FileSystemResource(trustStorePath).getInputStream(), trustStorePassword.toCharArray());

        SSLConnectionSocketFactory systemSocketFactory = new SSLConnectionSocketFactory(
            SSLContexts
                .custom()
                .loadTrustMaterial(trustStore, new TrustSelfSignedStrategy())
                .build(),
            new NoopHostnameVerifier());

        SchemeRegistry sslSchemeRegistry = new SchemeRegistry();
        Scheme schema = new Scheme("https", serverPort, new SSLSocketFactoryAdapter(systemSocketFactory));
        sslSchemeRegistry.register(schema);
        String name = "Custom-Discovery-Client";
        MonitoredConnectionManager connectionManager = new MonitoredConnectionManager(name, sslSchemeRegistry);
        ClientConfig clientConfig = new DefaultClientConfig();
        clientConfig.getProperties().put(ApacheHttpClient4Config.PROPERTY_CONNECTION_MANAGER, connectionManager);

        DiscoveryJerseyProvider discoveryJerseyProvider = new DiscoveryJerseyProvider(
            CodecWrappers.getEncoder(config.getEncoderName()),
            CodecWrappers.resolveDecoder(config.getDecoderName(), config.getClientDataAccept()));

        clientConfig.getSingletons().add(discoveryJerseyProvider);

        DiscoveryClient.DiscoveryClientOptionalArgs clientOptionalArgs = new DiscoveryClient.DiscoveryClientOptionalArgs();
        clientOptionalArgs.setEurekaJerseyClient(new EurekaJerseyClientImpl(
            config.getEurekaServerConnectTimeoutSeconds() * 1000,
            config.getEurekaServerReadTimeoutSeconds() * 1000,
            config.getEurekaConnectionIdleTimeoutSeconds() * 1000,
            clientConfig));
        return clientOptionalArgs;
    }

}

Exception

com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLPeerUnverifiedException: Certificate for <localhost> doesn't match any of the subject alternative names: [www.spendingbetter.com, spendingbetter.com]
	at com.sun.jersey.client.apache4.ApacheHttpClient4Handler.handle(ApacheHttpClient4Handler.java:187) ~[jersey-apache-client4-1.19.1.jar:1.19.1]
	at com.netflix.eureka.cluster.DynamicGZIPContentEncodingFilter.handle(DynamicGZIPContentEncodingFilter.java:48) ~[eureka-core-1.9.8.jar:1.9.8]
	at com.netflix.discovery.EurekaIdentityHeaderFilter.handle(EurekaIdentityHeaderFilter.java:27) ~[eureka-client-1.9.8.jar:1.9.8]
	at com.sun.jersey.api.client.Client.handle(Client.java:652) ~[jersey-client-1.19.1.jar:1.19.1]
	at com.sun.jersey.api.client.WebResource.handle(WebResource.java:682) ~[jersey-client-1.19.1.jar:1.19.1]
	at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74) ~[jersey-client-1.19.1.jar:1.19.1]
	at com.sun.jersey.api.client.WebResource$Builder.post(WebResource.java:570) ~[jersey-client-1.19.1.jar:1.19.1]
	at com.netflix.eureka.transport.JerseyReplicationClient.submitBatchUpdates(JerseyReplicationClient.java:116) ~[eureka-core-1.9.8.jar:1.9.8]
	at com.netflix.eureka.cluster.ReplicationTaskProcessor.process(ReplicationTaskProcessor.java:80) ~[eureka-core-1.9.8.jar:1.9.8]
	at com.netflix.eureka.util.batcher.TaskExecutors$BatchWorkerRunnable.run(TaskExecutors.java:193) [eureka-core-1.9.8.jar:1.9.8]
	at java.lang.Thread.run(Thread.java:748) [na:1.8.0_212]

Version Spring Boot: 2.1.2.RELEASE Spring Cloud: Greenwich.RC2

Contributor guide