-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RestClient Reactive - set HostnameVerifier or SSLContext #27901
Comments
/cc @Sgitario, @cescoffier, @geoand |
In my current project, for reasons that are not under my or my team's control, we do have to call an external service via IP in production. |
@Sgitario would you be willing to look into lifting this restriction? I can also check if your backlog is too full |
I should note that it's entirely possible that we will need changes in Vert.x to support this |
Vertx does not provide such a feature. So, I don't believe we can provide that feature. However, you can enable the trustall feature which will by-pass the verification. |
The SSL context approach may work with vertx 4.3.4 (some rework around ssl has been achieved, it should provide such an option) |
Thanks everybody for your prompt responses. If HostnameVerifier support is not achievable, SSLContext support is still good for our use cases. trust-all operates in the app level, and we have the need to trust only some of the Rest Clients. When I said "at least HostnameVerifier" I thought it would be easier, but I am totally happy without HostnameVerifier, as SSLContext will perfectly be valid to get different Rest Clients in the same service with and without SSL verification. |
Unfortunately, it's not expected that And the same happens with supporting a custom So, our options are:
Also, I've found that when using a truststore:
Makes the rest client to fail with the following exception:
I have a fix for this: #27925 |
My 2 cents:
How would an implemetation look like that tries to mimic Also, I assume that with this workaround, Quarkus would still properly set up the To me, the second option looks better for now. |
+💯 |
I personally think that if we properly document how to address the common concerns, we don't really need to have |
My point is that it's not that rare to skip hostname verification, so it would be much more developer friendly if Quarkus would close that gap by shipping something that can be used OOTB. |
Sure yeah. My point is that we don't need to necessarily have a |
Agreed! |
If what we want is to skip the hostname verification, we can achieve this by setting 'verifyHost(false)'. All we would need is to add a new property for setting this flag. |
Before these changes, we only can disable the hostname verification in Rest Client classic by providing the following property: ``` quarkus.rest-client.extensions-api.hostname-verifier=io.quarkus.restclient.NoopHostnameVerifier ``` However, this is not working in Rest Client reactive because setting a hostname verifier strategy is not supported by the Vert-x HTTP Client. With these changes, we have added a new property in both Rest Client classic and reactive `quarkus.rest-client.extensions-api.verify-host=true or false`. In Rest Client classic, when disabling the verify host, internally it will add the `NoopHostnameVerifier` strategy. In Rest Client reactive, it will properly configure the Vert.x HTTP client to disable the hostname verification. Therefore, in both Rest Client implementations (classic and reactive), the behaviour is the same. Fix quarkusio#27901
Thanks everybody for your inputs! Hi @Sgitario ! I am sure most of the developer use cases will be covered with that, and developer experience using it is very straightforward. I am unsure if our specific use case is covered, as due to the dynamic base URLs we have, we are forced to use RestClientBuilders programatically. |
Before these changes, we only can disable the hostname verification in Rest Client classic by providing the following property: ``` quarkus.rest-client.extensions-api.hostname-verifier=io.quarkus.restclient.NoopHostnameVerifier ``` However, this is not working in Rest Client reactive because setting a hostname verifier strategy is not supported by the Vert-x HTTP Client. With these changes, we have added a new property in both Rest Client classic and reactive `quarkus.rest-client.extensions-api.verify-host=true or false`. In Rest Client classic, when disabling the verify host, internally it will add the `NoopHostnameVerifier` strategy. In Rest Client reactive, it will properly configure the Vert.x HTTP client to disable the hostname verification. Therefore, in both Rest Client implementations (classic and reactive), the behaviour is the same. Fix quarkusio#27901
Before these changes, we only can disable the hostname verification in Rest Client classic by providing the following property: ``` quarkus.rest-client.extensions-api.hostname-verifier=io.quarkus.restclient.NoopHostnameVerifier ``` However, this is not working in Rest Client reactive because setting a hostname verifier strategy is not supported by the Vert-x HTTP Client. With these changes, we have added a new property in both Rest Client classic and reactive `quarkus.rest-client.extensions-api.verify-host=true or false`. In Rest Client classic, when disabling the verify host, internally it will add the `NoopHostnameVerifier` strategy. In Rest Client reactive, it will properly configure the Vert.x HTTP client to disable the hostname verification. Therefore, in both Rest Client implementations (classic and reactive), the behaviour is the same. Fix quarkusio#27901
Before these changes, we only can disable the hostname verification in Rest Client classic by providing the following property: ``` quarkus.rest-client.extensions-api.hostname-verifier=io.quarkus.restclient.NoopHostnameVerifier ``` However, this is not working in Rest Client reactive because setting a hostname verifier strategy is not supported by the Vert-x HTTP Client. With these changes, we have added a new property in both Rest Client classic and reactive `quarkus.rest-client.extensions-api.verify-host=true or false`. In Rest Client classic, when disabling the verify host, internally it will add the `NoopHostnameVerifier` strategy. In Rest Client reactive, it will properly configure the Vert.x HTTP client to disable the hostname verification. Therefore, in both Rest Client implementations (classic and reactive), the behaviour is the same. Fix quarkusio#27901 (cherry picked from commit 941d3a6)
Description
There is a known limitation on RestClient Reactive, we cannot set a HostnameVerifier or SSLContext.
We have switched back to rest-client-mutiny for now, even if it's deprecated, but it would be useful to get this done, so we can move back towards a fully reactive service.
Do we know the priority of this feature? At least for HostnameVerifier.
Context: It is very common to give user, when configuring webhooks, the option to use insecure SSL at their own expense, usually for testing purposes, and we want to give that to our users.
Implementation ideas
No response
The text was updated successfully, but these errors were encountered: