Allow using null peer host for TLS and disabling host and port inference and SNI altogether.

servicetalk-http-api/src/main/java/io/servicetalk/http/api/SingleAddressHttpClientBuilder.java

@@ -144,4 +144,29 @@ public SingleAddressHttpClientBuilder<U, R> appendClientFilter(Predicate<Streami
      * @return {@code this}.
      */
     public abstract SingleAddressHttpClientBuilder<U, R> sslConfig(ClientSslConfig sslConfig);
+
+    /**
+     * Toggle inference of value to use instead of {@link ClientSslConfig#peerHost()}
+     * from client's address when peer host is not specified. By default, inference is enabled.
+     * @param shouldInfer value indicating whether inference is on ({@code true}) or off ({@code false}).
+     * @return {@code this}
+     */
+    public abstract SingleAddressHttpClientBuilder<U, R> inferPeerHost(boolean shouldInfer);
+
+    /**
+     * Toggle inference of value to use instead of {@link ClientSslConfig#peerPort()}
+     * from client's address when peer port is not specified (equals {@code -1}). By default, inference is enabled.
+     * @param shouldInfer value indicating whether inference is on ({@code true}) or off ({@code false}).
+     * @return {@code this}
+     */
+    public abstract SingleAddressHttpClientBuilder<U, R> inferPeerPort(boolean shouldInfer);
+
+    /**
+     * Toggle <a href="https://datatracker.ietf.org/doc/html/rfc6066#section-3">SNI</a>
+     * hostname inference from client's address if not explicitly specified
+     * via {@link #sslConfig(ClientSslConfig)}. By default, inference is enabled.
+     * @param shouldInfer value indicating whether inference is on ({@code true}) or off ({@code false}).
+     * @return {@code this}
+     */
+    public abstract SingleAddressHttpClientBuilder<U, R> inferSniHostname(boolean shouldInfer);
 }

servicetalk-http-netty/src/main/java/io/servicetalk/http/netty/DefaultSingleAddressHttpClientBuilder.java

@@ -564,6 +564,24 @@ public DefaultSingleAddressHttpClientBuilder<U, R> sslConfig(ClientSslConfig ssl
         return this;
     }
 
+    @Override
+    public SingleAddressHttpClientBuilder<U, R> inferPeerHost(boolean shouldInfer) {
+        config.inferPeerHost(shouldInfer);
+        return this;
+    }
+
+    @Override
+    public SingleAddressHttpClientBuilder<U, R> inferPeerPort(boolean shouldInfer) {
+        config.inferPeerPort(shouldInfer);
+        return this;
+    }
+
+    @Override
+    public SingleAddressHttpClientBuilder<U, R> inferSniHostname(boolean shouldInfer) {
+        config.inferSniHostname(shouldInfer);
+        return this;
+    }
+
     void appendToStrategyInfluencer(MultiAddressHttpClientFilterFactory<U> multiAddressHttpClientFilterFactory) {
         influencerChainBuilder.add(multiAddressHttpClientFilterFactory);
     }

servicetalk-http-netty/src/main/java/io/servicetalk/http/netty/HttpClientConfig.java

@@ -34,6 +34,9 @@ final class HttpClientConfig {
     @Nullable
     private String fallbackPeerHost;
     private int fallbackPeerPort = -1;
+    private boolean inferPeerHost = true;
+    private boolean inferPeerPort = true;
+    private boolean inferSniHostname = true;
 
     HttpClientConfig() {
         tcpConfig = new TcpClientConfig();
@@ -46,6 +49,9 @@ final class HttpClientConfig {
         connectAddress = from.connectAddress;
         fallbackPeerHost = from.fallbackPeerHost;
         fallbackPeerPort = from.fallbackPeerPort;
+        inferPeerHost = from.inferPeerHost;
+        inferPeerPort = from.inferPeerPort;
+        inferSniHostname = from.inferSniHostname;
     }
 
     TcpClientConfig tcpConfig() {
@@ -73,6 +79,18 @@ void fallbackPeerPort(int fallbackPeerPort) {
         this.fallbackPeerPort = fallbackPeerPort;
     }
 
+    void inferPeerHost(boolean shouldInfer) {
+        this.inferPeerHost = shouldInfer;
+    }
+
+    void inferPeerPort(boolean shouldInfer) {
+        this.inferPeerPort = shouldInfer;
+    }
+
+    void inferSniHostname(boolean shouldInfer) {
+        this.inferSniHostname = shouldInfer;
+    }
+
     ReadOnlyHttpClientConfig asReadOnly() {
         applySslConfigOverrides();
         final ReadOnlyHttpClientConfig roConfig = new ReadOnlyHttpClientConfig(this);
@@ -93,11 +111,17 @@ private void applySslConfigOverrides() {
             tcpConfig.sslConfig(new DelegatingClientSslConfig(sslConfig) {
                 @Nullable
                 private final List<String> alpnProtocols = httpAlpnProtocols(configAlpn, httpAlpnProtocols);
+
                 @Nullable
-                private final String peerHost = configPeerHost == null ? fallbackPeerHost : configPeerHost;
-                private final int peerPort = configPeerPort < 0 ? fallbackPeerPort : configPeerPort;
+                private final String peerHost =
+                        (configPeerHost == null && inferPeerHost) ? fallbackPeerHost : configPeerHost;
+
+                private final int peerPort =
+                        (configPeerPort < 0 && inferPeerPort) ? fallbackPeerPort : configPeerPort;
+
                 @Nullable
-                private final String sniHostname = configSni == null ? filterSniName(fallbackPeerHost) : configSni;
+                private final String sniHostname =
+                        (configSni == null && inferSniHostname) ? filterSniName(fallbackPeerHost) : configSni;
 
                 @Override
                 public List<String> alpnProtocols() {

servicetalk-http-netty/src/test/java/io/servicetalk/http/netty/DefaultSingleAddressHttpClientBuilderTest.java

@@ -85,7 +85,7 @@ private static void hostToCharSequenceFunction(String hostNamePrefix, String hos
                      forResolvedAddress(hostNamePrefix + hostName + hostNameSuffix + (port == null ? "" : port),
                              serverCtx.listenAddress())
                              .sslConfig(new ClientSslConfigBuilder(DefaultTestCerts::loadServerCAPem)
-                                     .disableHostnameVerification().build())
+                                     .hostnameVerificationAlgorithm("").build())
                              .buildBlocking()) {
             ReservedBlockingHttpConnection conn = client.reserveConnection(client.get("/"));
             try {

servicetalk-http-netty/src/test/java/io/servicetalk/http/netty/SniTest.java

@@ -25,7 +25,7 @@
 
 import org.junit.jupiter.api.Test;
 
-import java.util.function.Function;
+import java.net.InetAddress;
 import javax.net.ssl.SSLHandshakeException;
 
 import static io.servicetalk.test.resources.DefaultTestCerts.serverPemHostname;
@@ -37,8 +37,10 @@
 
 class SniTest {
     private static final String SNI_HOSTNAME = "servicetalk.io";
+
     @Test
     void sniSuccess() throws Exception {
+
         try (ServerContext serverContext = HttpServers.forAddress(localAddress(0))
                 .sslConfig(untrustedServerConfig(), singletonMap(SNI_HOSTNAME, trustedServerConfig()))
                 .listenBlockingAndAwait((ctx, request, responseFactory) -> responseFactory.ok());
@@ -49,15 +51,10 @@ void sniSuccess() throws Exception {
 
     @Test
     void sniDefaultFallbackSuccess() throws Exception {
-        sniDefaultFallbackSuccess(SniTest::newClient);
-    }
-
-    private static void sniDefaultFallbackSuccess(Function<ServerContext, BlockingHttpClient> clientFunc)
-            throws Exception {
         try (ServerContext serverContext = HttpServers.forAddress(localAddress(0))
                 .sslConfig(trustedServerConfig(), singletonMap("no_match" + SNI_HOSTNAME, untrustedServerConfig()))
                 .listenBlockingAndAwait((ctx, request, responseFactory) -> responseFactory.ok());
-             BlockingHttpClient client = clientFunc.apply(serverContext)) {
+             BlockingHttpClient client = newClient(serverContext)) {
             assertEquals(HttpResponseStatus.OK, client.request(client.get("/")).status());
         }
     }
@@ -94,10 +91,37 @@ void sniClientDefaultServerSuccess() throws Exception {
 
     @Test
     void noSniClientDefaultServerFallbackSuccess() throws Exception {
-        sniDefaultFallbackSuccess(serverContext -> HttpClients.forSingleAddress(serverHostAndPort(serverContext))
-                .sslConfig(new ClientSslConfigBuilder(DefaultTestCerts::loadServerCAPem)
-                        .peerHost(serverPemHostname()).build())
-                .buildBlocking());
+        try (ServerContext serverContext = HttpServers.forAddress(localAddress(0))
+                .sslConfig(trustedServerConfig(), singletonMap("localhost", untrustedServerConfig()))
+                .listenBlockingAndAwait((ctx, request, responseFactory) -> responseFactory.ok());
+             BlockingHttpClient client = HttpClients.forSingleAddress(
+                     InetAddress.getLoopbackAddress().getHostName(),
+                     serverHostAndPort(serverContext).port())
+                     .sslConfig(new ClientSslConfigBuilder(DefaultTestCerts::loadServerCAPem)
+                             .peerHost(serverPemHostname()).build())
+                     .inferSniHostname(false)
+                     .buildBlocking()) {
+            assertEquals(HttpResponseStatus.OK, client.request(client.get("/")).status());
+        }
+    }
+
+    @Test
+    void noSniClientDefaultServerFallbackFailExpected() throws Exception {
+        try (ServerContext serverContext = HttpServers.forAddress(localAddress(0))
+                .sslConfig(
+                        untrustedServerConfig(),
+                        singletonMap(InetAddress.getLoopbackAddress().getHostName(), trustedServerConfig())
+                )
+                .listenBlockingAndAwait((ctx, request, responseFactory) -> responseFactory.ok());
+             BlockingHttpClient client = HttpClients.forSingleAddress(
+                     InetAddress.getLoopbackAddress().getHostName(),
+                     serverHostAndPort(serverContext).port()
+             )
+                     .sslConfig(new ClientSslConfigBuilder(DefaultTestCerts::loadServerCAPem).build())
+                     .inferSniHostname(false)
+                     .buildBlocking()) {
+            assertThrows(SSLHandshakeException.class, () -> client.request(client.get("/")));
+        }
     }
 
     private static BlockingHttpClient newClient(ServerContext serverContext) {

servicetalk-http-netty/src/test/java/io/servicetalk/http/netty/SslAndNonSslConnectionsTest.java

@@ -25,6 +25,7 @@
 import io.servicetalk.http.api.StreamingHttpService;
 import io.servicetalk.test.resources.DefaultTestCerts;
 import io.servicetalk.transport.api.ClientSslConfigBuilder;
+import io.servicetalk.transport.api.HostAndPort;
 import io.servicetalk.transport.api.ServerContext;
 import io.servicetalk.transport.api.ServerSslConfigBuilder;
 
@@ -34,6 +35,7 @@
 import org.junit.jupiter.api.Test;
 import org.mockito.stubbing.Answer;
 
+import java.net.InetAddress;
 import java.nio.channels.ClosedChannelException;
 import java.security.cert.CertificateException;
 import javax.annotation.Nullable;
@@ -174,6 +176,20 @@ void singleAddressClientWithSslToSecureServer() throws Exception {
         }
     }
 
+    @Test
+    void singleAddressClientWithSslToSecureServerWithoutPeerHost() throws Exception {
+        assert secureServerCtx != null;
+        try (BlockingHttpClient client = HttpClients.forSingleAddress(serverHostAndPort(secureServerCtx))
+                .sslConfig(new ClientSslConfigBuilder(DefaultTestCerts::loadServerCAPem)
+                        // if verification is not disabled, identity check fails against the undefined address
+                        .hostnameVerificationAlgorithm("")
+                        .build())
+                .inferPeerHost(false)
+                .buildBlocking()) {
+            testRequestResponse(client, "/", true);
+        }
+    }
+
     @Test
     void hostNameVerificationIsEnabledByDefault() throws Exception {
         assert secureServerCtx != null;
@@ -188,6 +204,21 @@ void hostNameVerificationIsEnabledByDefault() throws Exception {
         }
     }
 
+    @Test
+    void hostNameVerificationUsesInferredAddress() throws Exception {
+        assert secureServerCtx != null;
+
+        HostAndPort localAddress = HostAndPort.of(
+                InetAddress.getLoopbackAddress().getHostName(), serverHostAndPort(secureServerCtx).port()
+        );
+
+        try (BlockingHttpClient client = HttpClients.forSingleAddress(localAddress)
+                .sslConfig(new ClientSslConfigBuilder(DefaultTestCerts::loadServerCAPem).build())
+                .buildBlocking()) {
+            testRequestResponse(client, "/", true);
+        }
+    }
+
     @Test
     void multiAddressClientWithSslToSecureServer() throws Exception {
         try (BlockingHttpClient client = HttpClients.forMultiAddressUrl()

servicetalk-transport-api/src/main/java/io/servicetalk/transport/api/ClientSslConfig.java

@@ -39,8 +39,8 @@ public interface ClientSslConfig extends SslConfig {
 
     /**
      * Get the non-authoritative name of the peer.
-     * @return the non-authoritative name of the peer, or {@code null} if unavailable (which may disable
-     * {@link #hostnameVerificationAlgorithm() hostname verification} and
+     * @return the non-authoritative name of the peer, or {@code null} if unavailable (which may require disabling
+     * {@link #hostnameVerificationAlgorithm() hostname verification}, and may disable
      * <a href="https://tools.ietf.org/html/rfc5077">session resumption</a>).
      * @see SSLEngine#getPeerHost()
      */

servicetalk-transport-api/src/main/java/io/servicetalk/transport/api/ClientSslConfigBuilder.java

@@ -75,7 +75,8 @@ public ClientSslConfigBuilder(Supplier<InputStream> trustCertChainSupplier) {
      *
      * @param algorithm The algorithm to use when verifying the host name.
      * See <a href="https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#jssenames">
-     * Endpoint Identification Algorithm Name</a>
+     * Endpoint Identification Algorithm Name</a>.
+     * An empty {@code String} ({@code ""}) disables hostname verification.
      * @return {@code this}.
      * @see SSLParameters#setEndpointIdentificationAlgorithm(String)
      */
@@ -89,6 +90,7 @@ public ClientSslConfigBuilder hostnameVerificationAlgorithm(String algorithm) {
      * @deprecated Disabling hostname verification may leave you vulnerable to man-in-the-middle attacks. See
      * <a href="https://tools.ietf.org/search/rfc2818#section-3.1">server identity</a> on the risks of disabling.
      * If the expected value isn't automatically inferred use {@link #peerHost(String)} to set the expected value.
+     * When disabling is intended, use {@link #hostnameVerificationAlgorithm} with {@code ""} as argument.
      * @return {@code this}.
      * @see SSLParameters#setEndpointIdentificationAlgorithm(String)
      */
@@ -104,10 +106,7 @@ public ClientSslConfigBuilder disableHostnameVerification() {
      * @return {@code this}.
      * @see SSLEngine#getPeerHost()
      */
-    public ClientSslConfigBuilder peerHost(String peerHost) {
-        if (peerHost.isEmpty()) {
-            throw new IllegalArgumentException("peerHost cannot be empty");
-        }
+    public ClientSslConfigBuilder peerHost(@Nullable String peerHost) {
         this.peerHost = peerHost;
         return this;
     }
@@ -166,8 +165,10 @@ private static final class DefaultClientSslConfig extends AbstractSslConfig impl
         @Nullable
         private final String sniHostname;
 
-        DefaultClientSslConfig(@Nullable final String hostnameVerificationAlgorithm, @Nullable final String peerHost,
-                               final int peerPort, @Nullable final String sniHostname,
+        DefaultClientSslConfig(@Nullable final String hostnameVerificationAlgorithm,
+                               @Nullable final String peerHost,
+                               final int peerPort,
+                               @Nullable final String sniHostname,
                                @Nullable final TrustManagerFactory trustManagerFactory,
                                @Nullable final Supplier<InputStream> trustCertChainSupplier,
                                @Nullable final KeyManagerFactory keyManagerFactory,

servicetalk-transport-netty-internal/src/main/java/io/servicetalk/transport/netty/internal/ClientSecurityConfig.java

@@ -256,7 +256,7 @@ public ClientSslConfig asSslConfig() {
         }
 
         if (hostnameVerificationAlgorithm == null) {
-            builder.disableHostnameVerification();
+            builder.hostnameVerificationAlgorithm("");
         } else {
             builder.hostnameVerificationAlgorithm(hostnameVerificationAlgorithm);
         }