Examples with DefaultHostnameVerifier org.apache.http.conn.ssl.DefaultHostnameVerifier used on opensource projects

Example 6 with DefaultHostnameVerifier

use of org.apache.http.conn.ssl.DefaultHostnameVerifier in project ovirt-engine-sdk-java by oVirt.

the class ConnectionBuilder45 method createConnectionSocketFactoryRegistry.

private Registry createConnectionSocketFactoryRegistry() {
    String protocol = getProtocol();
    Registry registry = null;
    // Create SSL/TLS or plain connection:
    if (HTTP_PROTOCOL.equals(protocol)) {
        ConnectionSocketFactory plainsf = PlainConnectionSocketFactory.getSocketFactory();
        registry = RegistryBuilder.<ConnectionSocketFactory>create().register(HTTP_PROTOCOL, plainsf).build();
    } else if (HTTPS_PROTOCOL.equals(protocol)) {
        try {
            LayeredConnectionSocketFactory sslsf = null;
            if (this.insecure) {
                SSLContext sslcontext = SSLContext.getInstance("TLS");
                sslcontext.init(null, new TrustManager[] { noCaTrustManager }, null);
                sslsf = new SSLConnectionSocketFactory(sslcontext, NoopHostnameVerifier.INSTANCE);
            } else {
                SSLContextBuilder sslContextBuilder = SSLContexts.custom();
                if (trustStoreFile != null) {
                    sslContextBuilder.loadTrustMaterial(new File(trustStoreFile), this.trustStorePassword != null ? this.trustStorePassword.toCharArray() : null);
                }
                SSLContext sslContext = sslContextBuilder.build();
                sslsf = new SSLConnectionSocketFactory(sslContext, new DefaultHostnameVerifier());
            }
            registry = RegistryBuilder.<ConnectionSocketFactory>create().register(HTTPS_PROTOCOL, sslsf).build();
        } catch (NoSuchAlgorithmException e) {
            throw new Error(NO_TLS_ERROR, e);
        } catch (KeyManagementException e) {
            throw new Error(BAD_KEY_ERROR, e);
        } catch (KeyStoreException e) {
            throw new Error(KEY_STORE_ERROR, e);
        } catch (FileNotFoundException e) {
            throw new Error(KEY_STORE_FILE_NOT_FOUND_ERROR, e);
        } catch (CertificateException e) {
            throw new Error(CERTIFICATE_ERROR, e);
        } catch (IOException e) {
            throw new Error(IO_ERROR, e);
        }
    } else {
        throw new Error(BAD_PROTOCOL_ERROR + protocol);
    }
    return registry;
}

Example 7 with DefaultHostnameVerifier

use of org.apache.http.conn.ssl.DefaultHostnameVerifier in project nifi by apache.

the class AbstractAWSProcessor method createConfiguration.

protected ClientConfiguration createConfiguration(final ProcessContext context) {
    final ClientConfiguration config = new ClientConfiguration();
    config.setMaxConnections(context.getMaxConcurrentTasks());
    config.setMaxErrorRetry(0);
    config.setUserAgent(DEFAULT_USER_AGENT);
    // If this is changed to be a property, ensure other uses are also changed
    config.setProtocol(DEFAULT_PROTOCOL);
    final int commsTimeout = context.getProperty(TIMEOUT).asTimePeriod(TimeUnit.MILLISECONDS).intValue();
    config.setConnectionTimeout(commsTimeout);
    config.setSocketTimeout(commsTimeout);
    final SSLContextService sslContextService = context.getProperty(SSL_CONTEXT_SERVICE).asControllerService(SSLContextService.class);
    if (sslContextService != null) {
        final SSLContext sslContext = sslContextService.createSSLContext(SSLContextService.ClientAuth.NONE);
        // NIFI-3788: Changed hostnameVerifier from null to DHV (BrowserCompatibleHostnameVerifier is deprecated)
        SdkTLSSocketFactory sdkTLSSocketFactory = new SdkTLSSocketFactory(sslContext, new DefaultHostnameVerifier());
        config.getApacheHttpClientConfig().setSslSocketFactory(sdkTLSSocketFactory);
    }
    if (context.getProperty(PROXY_HOST).isSet()) {
        String proxyHost = context.getProperty(PROXY_HOST).evaluateAttributeExpressions().getValue();
        config.setProxyHost(proxyHost);
        Integer proxyPort = context.getProperty(PROXY_HOST_PORT).evaluateAttributeExpressions().asInteger();
        config.setProxyPort(proxyPort);
    }
    return config;
}

Example 8 with DefaultHostnameVerifier

use of org.apache.http.conn.ssl.DefaultHostnameVerifier in project nutch by apache.

the class ElasticRestIndexWriter method open.

@Override
public void open(Configuration conf, String name) throws IOException {
    hosts = conf.getStrings(ElasticRestConstants.HOST);
    port = conf.getInt(ElasticRestConstants.PORT, 9200);
    user = conf.get(ElasticRestConstants.USER);
    password = conf.get(ElasticRestConstants.PASSWORD);
    https = conf.getBoolean(ElasticRestConstants.HTTPS, false);
    trustAllHostnames = conf.getBoolean(ElasticRestConstants.HOSTNAME_TRUST, false);
    languages = conf.getStrings(ElasticRestConstants.LANGUAGES);
    separator = conf.get(ElasticRestConstants.SEPARATOR, DEFAULT_SEPARATOR);
    sink = conf.get(ElasticRestConstants.SINK, DEFAULT_SINK);
    // trust ALL certificates
    SSLContext sslContext = null;
    try {
        sslContext = new SSLContextBuilder().loadTrustMaterial(new TrustStrategy() {

            public boolean isTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {
                return true;
            }
        }).build();
    } catch (NoSuchAlgorithmException | KeyManagementException | KeyStoreException e) {
        LOG.error("Failed to instantiate sslcontext object: \n{}", ExceptionUtils.getStackTrace(e));
        throw new SecurityException();
    }
    // skip hostname checks
    HostnameVerifier hostnameVerifier = null;
    if (trustAllHostnames) {
        hostnameVerifier = NoopHostnameVerifier.INSTANCE;
    } else {
        hostnameVerifier = new DefaultHostnameVerifier();
    }
    SSLConnectionSocketFactory sslSocketFactory = new SSLConnectionSocketFactory(sslContext);
    SchemeIOSessionStrategy httpsIOSessionStrategy = new SSLIOSessionStrategy(sslContext, hostnameVerifier);
    JestClientFactory jestClientFactory = new JestClientFactory();
    if (hosts == null || hosts.length == 0 || port <= 1) {
        throw new IllegalStateException("No hosts or port specified. Please set the host and port in nutch-site.xml");
    }
    List<String> urlsOfElasticsearchNodes = new ArrayList<String>();
    for (String host : hosts) {
        urlsOfElasticsearchNodes.add(new URL(https ? "https" : "http", host, port, "").toString());
    }
    HttpClientConfig.Builder builder = new HttpClientConfig.Builder(urlsOfElasticsearchNodes).multiThreaded(true).connTimeout(300000).readTimeout(300000);
    if (https) {
        if (user != null && password != null) {
            builder.defaultCredentials(user, password);
        }
        builder.defaultSchemeForDiscoveredNodes("https").sslSocketFactory(// this only affects sync calls
        sslSocketFactory).httpsIOSessionStrategy(// this only affects async calls
        httpsIOSessionStrategy);
    }
    jestClientFactory.setHttpClientConfig(builder.build());
    client = jestClientFactory.getObject();
    defaultIndex = conf.get(ElasticRestConstants.INDEX, "nutch");
    defaultType = conf.get(ElasticRestConstants.TYPE, "doc");
    maxBulkDocs = conf.getInt(ElasticRestConstants.MAX_BULK_DOCS, DEFAULT_MAX_BULK_DOCS);
    maxBulkLength = conf.getInt(ElasticRestConstants.MAX_BULK_LENGTH, DEFAULT_MAX_BULK_LENGTH);
    bulkBuilder = new Bulk.Builder().defaultIndex(defaultIndex).defaultType(defaultType);
}

Example 9 with DefaultHostnameVerifier

use of org.apache.http.conn.ssl.DefaultHostnameVerifier in project gateway-dubbox by zhuzhong.

the class OpenApiHttpAsynClientServiceImpl method initHttpAsynClient.

private void initHttpAsynClient() throws IOReactorException {
    // Use custom message parser / writer to customize the way HTTP
    // messages are parsed from and written out to the data stream.
    NHttpMessageParserFactory<HttpResponse> responseParserFactory = new DefaultHttpResponseParserFactory() {

        @Override
        public NHttpMessageParser<HttpResponse> create(final SessionInputBuffer buffer, final MessageConstraints constraints) {
            LineParser lineParser = new BasicLineParser() {

                @Override
                public Header parseHeader(final CharArrayBuffer buffer) {
                    try {
                        return super.parseHeader(buffer);
                    } catch (ParseException ex) {
                        return new BasicHeader(buffer.toString(), null);
                    }
                }
            };
            return new DefaultHttpResponseParser(buffer, lineParser, DefaultHttpResponseFactory.INSTANCE, constraints);
        }
    };
    NHttpMessageWriterFactory<HttpRequest> requestWriterFactory = new DefaultHttpRequestWriterFactory();
    // Use a custom connection factory to customize the process of
    // initialization of outgoing HTTP connections. Beside standard
    // connection
    // configuration parameters HTTP connection factory can define message
    // parser / writer routines to be employed by individual connections.
    NHttpConnectionFactory<ManagedNHttpClientConnection> connFactory = new ManagedNHttpClientConnectionFactory(requestWriterFactory, responseParserFactory, HeapByteBufferAllocator.INSTANCE);
    // Client HTTP connection objects when fully initialized can be bound to
    // an arbitrary network socket. The process of network socket
    // initialization,
    // its connection to a remote address and binding to a local one is
    // controlled
    // by a connection socket factory.
    // SSL context for secure connections can be created either based on
    // system or application specific properties.
    // SSLContext sslcontext = org.apache.http.ssl.SSLContexts.createSystemDefault();
    // SSLContext sslcontext = org.apache.http.ssl.SSLContexts.createDefault();
    SSLContext sslcontext = null;
    try {
        sslcontext = this.createIgnoreVerifySSL();
    } catch (KeyManagementException | NoSuchAlgorithmException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }
    // Use custom hostname verifier to customize SSL hostname verification.
    HostnameVerifier hostnameVerifier = new DefaultHostnameVerifier();
    // Create a registry of custom connection session strategies for
    // supported
    // protocol schemes.
    Registry<SchemeIOSessionStrategy> sessionStrategyRegistry = RegistryBuilder.<SchemeIOSessionStrategy>create().register("http", NoopIOSessionStrategy.INSTANCE).register("https", new SSLIOSessionStrategy(sslcontext)).build();
    // .register("https", SSLConnectionSocketFactory.getSystemSocketFactory()).build();
    // Use custom DNS resolver to override the system DNS resolution.
    DnsResolver dnsResolver = new SystemDefaultDnsResolver() {

        @Override
        public InetAddress[] resolve(final String host) throws UnknownHostException {
            if (host.equalsIgnoreCase("myhost")) {
                return new InetAddress[] { InetAddress.getByAddress(new byte[] { 127, 0, 0, 1 }) };
            } else {
                return super.resolve(host);
            }
        }
    };
    // Create I/O reactor configuration
    IOReactorConfig ioReactorConfig = IOReactorConfig.custom().setIoThreadCount(Runtime.getRuntime().availableProcessors()).setConnectTimeout(30000).setSoTimeout(30000).build();
    // Create a custom I/O reactort
    ConnectingIOReactor ioReactor = new DefaultConnectingIOReactor(ioReactorConfig);
    // Create a connection manager with custom configuration.
    PoolingNHttpClientConnectionManager connManager = new PoolingNHttpClientConnectionManager(ioReactor, connFactory, sessionStrategyRegistry, dnsResolver);
    // Create message constraints
    MessageConstraints messageConstraints = MessageConstraints.custom().setMaxHeaderCount(200).setMaxLineLength(2000).build();
    // Create connection configuration
    ConnectionConfig connectionConfig = ConnectionConfig.custom().setMalformedInputAction(CodingErrorAction.IGNORE).setUnmappableInputAction(CodingErrorAction.IGNORE).setCharset(Consts.UTF_8).setMessageConstraints(messageConstraints).build();
    // Configure the connection manager to use connection configuration
    // either
    // by default or for a specific host.
    connManager.setDefaultConnectionConfig(connectionConfig);
    // connManager.setConnectionConfig(new HttpHost("somehost", 80),
    // ConnectionConfig.DEFAULT);
    // Configure total max or per route limits for persistent connections
    // that can be kept in the pool or leased by the connection manager.
    connManager.setMaxTotal(100);
    connManager.setDefaultMaxPerRoute(10);
    // connManager.setMaxPerRoute(new HttpRoute(new HttpHost("somehost",
    // 80)), 20);
    // Use custom cookie store if necessary.
    CookieStore cookieStore = new BasicCookieStore();
    // Use custom credentials provider if necessary.
    // CredentialsProvider credentialsProvider = new
    // BasicCredentialsProvider();
    // credentialsProvider.setCredentials(new AuthScope("localhost", 8889),
    // new UsernamePasswordCredentials("squid", "nopassword"));
    // Create global request configuration
    RequestConfig defaultRequestConfig = RequestConfig.custom().setCookieSpec(CookieSpecs.DEFAULT).setExpectContinueEnabled(true).setTargetPreferredAuthSchemes(Arrays.asList(AuthSchemes.NTLM, AuthSchemes.DIGEST)).setProxyPreferredAuthSchemes(Arrays.asList(AuthSchemes.BASIC)).build();
    // Create an HttpClient with the given custom dependencies and
    // configuration.
    // CloseableHttpAsyncClient
    httpAsyncClient = HttpAsyncClients.custom().setConnectionManager(connManager).build();
}

Example 10 with DefaultHostnameVerifier

use of org.apache.http.conn.ssl.DefaultHostnameVerifier in project i2p.i2p by i2p.

the class I2PSSLSocketFactory method verifyHostname.

/**
 *  Validate the hostname
 *
 *  ref: https://developer.android.com/training/articles/security-ssl.html
 *  ref: http://op-co.de/blog/posts/java_sslsocket_mitm/
 *  ref: http://kevinlocke.name/bits/2012/10/03/ssl-certificate-verification-in-dispatch-and-asynchttpclient/
 *
 *  @throws SSLException on hostname verification failure
 *  @since 0.9.20
 */
public static void verifyHostname(I2PAppContext ctx, SSLSocket socket, String host) throws SSLException {
    Log log = ctx.logManager().getLog(I2PSSLSocketFactory.class);
    if (ctx.getBooleanProperty(PROP_DISABLE) || host.equals("localhost") || host.equals("127.0.0.1") || host.equals("::1") || host.equals("0:0:0:0:0:0:0:1")) {
        if (log.shouldWarn())
            log.warn("Skipping hostname validation for " + host);
        return;
    }
    HostnameVerifier hv;
    if (SystemVersion.isAndroid()) {
        // https://developer.android.com/training/articles/security-ssl.html
        hv = HttpsURLConnection.getDefaultHostnameVerifier();
    } else {
        // haha the above may work for Android but it doesn't in Oracle
        // 
        // quote http://kevinlocke.name/bits/2012/10/03/ssl-certificate-verification-in-dispatch-and-asynchttpclient/ :
        // Unlike SSLContext, using the Java default (HttpsURLConnection.getDefaultHostnameVerifier)
        // is not a viable option because the default HostnameVerifier expects to only be called
        // in the case that there is a mismatch (and therefore always returns false) while some
        // of the AsyncHttpClient providers (e.g. Netty, the default) call it on all connections.
        // To make matters worse, the check is not trivial (consider SAN and wildcard matching)
        // and is implemented in sun.security.util.HostnameChecker (a Sun internal proprietary API).
        // This leaves the developer in the position of either depending on an internal API or
        // finding/copying/creating another implementation of this functionality.
        // 
        hv = new DefaultHostnameVerifier(getDefaultMatcher(ctx));
    }
    SSLSession sess = socket.getSession();
    // This is due to lack of SNI support in the current SSLSocket.
    if (!hv.verify(host, sess)) {
        throw new SSLHandshakeException("SSL hostname verify failed, Expected " + host + // enable logging for DefaultHostnameVerifier to find out the CN and SANs
        " - set " + PROP_DISABLE + "=true to disable verification (dangerous!)");
    }
// At this point SSLSocket performed certificate verificaiton and
// we have performed hostname verification, so it is safe to proceed.
}