You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by Robert Nicholson <ro...@elastica.com> on 2005/02/20 18:56:34 UTC
Correct way to disable hostname verification in Axis 1.1 and JSSE 1.0.3?
Hi,
From what I can see you've got two approaches but basically it looks
like you want to avoid the hostname verifier that exists by default in
the JSSE 1.0.3 library that simply returns false. It is not exactly
clear to me how this is done short of using...
HttpsUrlConnection.setDefaultHostNameVerifier or AxisProperties and
SunFakeTrustSocketFactory
It's not clear to me the relationship b/w these two approaches since I
know that I need to avoid the JSSE throwing
throw new IOException("HTTPS hostname wrong: should be <" +
super.url.getHost() + ">, but cert says <" + s + ">");
via HttpsClient
..
Since we are only interested in encryption and not client
authentication I don't think it is necessary to have a client side
keystore. Currently my client program simply points to the truststore
of the server.
In Axis, a socketfactory seems to be returned by a
SocketFactoryFactory... which relys on a AxisProperties
What I don't understand is short of telling HttpsUrlConnection's
defaulthostnameverifier to be anything other than the inner class
HostnameVerifier which returns false how can Axis prevent the JSSE from
executing this method and consequently having hostname verification
fail.