How to bypass hostname verification?

[shotahino]

There is an example of how to do this for grpc-go in here
And I'm looking for a similar solution for grpc-java.

I had been using overrideAuthority like this when the CN of the server certificate is known.
But I've come to a point where I can no longer keep doing this since the CN is not known beforehand. All I know is the IP address and port number in my use case.

  grpc = OkHttpChannelBuilder
            .forTarget("$address:$port")
            .sslSocketFactory(sslcontext.socketFactory)
            .overrideAuthority("xxxxxx")
            .build()

[carl-mastrangelo]

Did you see the hostnameVerifier method on OkHttpChannelBuilder ?

[ejona86]

Note that we strongly discourage disabling hostname verification, as it defeats a critical part of the security model of TLS. But it seems this question is answered.

[dcow]

I can comment. We are limiting our TLS to ca roots under our control. We will have a custom hostnameverifier that accounts for this so the attack vector that part of the model addresses does not exist for us, or where it does we understand the implications. We will also know the list of CNs we expect a-priori.. I believe Shota is referring to a debug "use case".