Enable host name verification for secure WebSocket client connections by default.

git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk@1833760 13f79535-47bb-0310-9956-ffa450edef68

Author: markt-asf

java/org/apache/tomcat/websocket/WsWebSocketContainer.java

@@ -53,6 +53,7 @@
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLParameters;
 import javax.net.ssl.TrustManagerFactory;
 import javax.websocket.ClientEndpoint;
 import javax.websocket.ClientEndpointConfig;
@@ -369,7 +370,7 @@ private Session connectToServerRecursive(Endpoint endpoint,
             // Regardless of whether a non-secure wrapper was created for a
             // proxy CONNECT, need to use TLS from this point on so wrap the
             // original AsynchronousSocketChannel
-            SSLEngine sslEngine = createSSLEngine(userProperties);
+            SSLEngine sslEngine = createSSLEngine(userProperties, host, port);
             channel = new AsyncChannelWrapperSecure(socketChannel, sslEngine);
         } else if (channel == null) {
             // Only need to wrap as this point if it wasn't wrapped to process a
@@ -931,7 +932,7 @@ private String readLine(ByteBuffer response) {
     }
 
 
-    private SSLEngine createSSLEngine(Map<String,Object> userProperties)
+    private SSLEngine createSSLEngine(Map<String,Object> userProperties, String host, int port)
             throws DeploymentException {
 
         try {
@@ -979,7 +980,7 @@ private SSLEngine createSSLEngine(Map<String,Object> userProperties)
                 }
             }
 
-            SSLEngine engine = sslContext.createSSLEngine();
+            SSLEngine engine = sslContext.createSSLEngine(host, port);
 
             String sslProtocolsValue =
                     (String) userProperties.get(SSL_PROTOCOLS_PROPERTY);
@@ -989,6 +990,14 @@ private SSLEngine createSSLEngine(Map<String,Object> userProperties)
 
             engine.setUseClientMode(true);
 
+            // Enable host verification
+            // Start with current settings (returns a copy)
+            SSLParameters sslParams = engine.getSSLParameters();
+            // Use HTTPS since WebSocket starts over HTTP(S)
+            sslParams.setEndpointIdentificationAlgorithm("HTTPS");
+            // Write the parameters back
+            engine.setSSLParameters(sslParams);
+
             return engine;
         } catch (Exception e) {
             throw new DeploymentException(sm.getString(

webapps/docs/changelog.xml

@@ -164,6 +164,10 @@
         <code>DecodeException</code> instead of throwing
         <code>ArrayIndexOutOfBoundsException</code>. (kfujino)
       </fix>
+      <fix>
+        Enable host name verification when using TLS with the WebSocket client.
+        (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Web applications">

webapps/docs/web-socket-howto.xml

@@ -148,10 +148,21 @@ implement its own timeout mechanism to handle these cases.</p>
      <li><code>org.apache.tomcat.websocket.SSL_TRUSTSTORE_PWD</code></li>
    </ul>
    <p>The default truststore password is <code>changeit</code>.</p>
-   <p>If the <code>org.apache.tomcat.websocket.SSL_CONTEXT</code> property is
-      set then the <code>org.apache.tomcat.websocket.SSL_TRUSTSTORE</code> and
-      <code>org.apache.tomcat.websocket.SSL_TRUSTSTORE_PWD</code> properties
-      will be ignored.</p>
+
+<p>If the <code>org.apache.tomcat.websocket.SSL_CONTEXT</code> property is
+   set then the <code>org.apache.tomcat.websocket.SSL_TRUSTSTORE</code> and
+   <code>org.apache.tomcat.websocket.SSL_TRUSTSTORE_PWD</code> properties
+   will be ignored.</p>
+
+<p>For secure server end points, host name verification is enabled by default.
+   To bypass this verification (not recommended), it is necessary to provide a
+   custom <code>SSLContext</code> via the
+   <code>org.apache.tomcat.websocket.SSL_CONTEXT</code> user property. The
+   custom <code>SSLContext</code> must be configured with a custom
+   <code>TrustManager</code> that extends
+   <code>javax.net.ssl.X509ExtendedTrustManager</code>. The desired verification
+   (or lack of verification) can then be controlled by appropriate
+   implementations of the individual abstract methods.</p>
 
 <p>When using the WebSocket client to connect to server endpoints, the number of
    HTTP redirects that the client will follow is controlled by the