Ssl-config disableHostnameVerification not working


(Thom Hickey) #1

Hello … thanks in advance for any help. I’m reading and following the documentation for loose ssl-config to disable hostname verification, but I can’t get any changes in application.conf to have get past the verification error. Is anyone have any luck with this?

fails at:
at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:231)
with:
java.security.cert.CertificateException: No name matching REDACTED found

I’ve tried all combinations in application.conf that I can think of as far as where to put the config option, including:

ssl-config.loose.disableHostnameVerification straight from https://lightbend.github.io/ssl-config/LooseSSL.html

Any help much appreciated!

-Thom

play: 2.6.12
scala 2.12.4


(Iaco86) #2

Hey Tom,
I’ve had similar issues setting up ssl options using ssl-config.
I think the documentation presented on the ssl-config page you linked has to be reviewed to work with play.

In my case, I had it working using the prefix
play.ws.ssl.loose
See if the following works for you:
play.ws.ssl.loose.disableHostnameVerification=true

I’ll try to figure out if the docs are actually wrong and how to fix them


(Thom Hickey) #3

Hi, thanks … I still get an exception:

at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:231)

We moved the host(s) behind our star cert some time ago, so I’m not stuck on this problem but for us it persists. Any ideas?


(Iaco86) #4

Mmmm I haven’t seen any more issues after correctly enabling the loose mode…
Maybe there are other ssl-config available for DNS config?


(Thom Hickey) #5

Possibly, yes, but I would think that disableHostNameVerification would disable all host name verifications including DNS matches? What we need here is the equivalent of verifySSL=false to turn off all verification including CA trust for self-signed certs, dns match, host name match, etc.


(Iaco86) #6

I think it should, yeah… Not quite sure how to help you if the configuration change doesn’t work…
Maybe need more debugging


#7

I had similar minor issue with the ssl config. Indeed in the documentation there is no mention that you need to use entry name “play.ws.ssl” with Play instead of the “ssl-config” mentioned in Lightbend’s site (referenced by Play’s documentation).

Maybe Play’s documentation should address this somehow?


(Iaco86) #8

The documentation has been fixed following a PR request I canceled because I didn’t have the CLA: https://github.com/playframework/playframework/pull/8785

It is fixed in the new 2.7 docs (https://www.playframework.com/documentation/2.7.0-RC3/WsSSL), and should be backported in 2.6.x - or so it’s labelled.