使用spring-webflux WebClient的反应堆净值配置HostnameVerifier [英] Configure HostnameVerifier with reactor netty for spring-webflux WebClient

问题描述

我正在尝试通过ssl和客户端主机名验证来配置spring-webflux WebClient(具有反应堆网络功能).我提供了javax.net.ssl.SSLContext，HostnameVerifier和受信任的主机名列表(作为字符串列表).

I'm trying to configure spring-webflux WebClient (with reactor netty under the hood) with ssl and client hostname verification. I'm provided with javax.net.ssl.SSLContext, HostnameVerifier and a list of trusted hostnames (as string list).

到目前为止，我已经使用SSLContext配置了WebClient，但找不到配置主机名验证的方法.

So far I've configured WebClient with my SSLContext, but I can't find a way to configure hostname verification.

要陈述我的问题:我有一组信任的服务主机名(字符串列表)和一个HostnameVerifier.我想用它配置我的WebClient.

To state my problem: I have a set of trusted services hostnames (String list) and a HostnameVerifier. I want to configure my WebClient with it.

是否可以使用javax.net.ssl.HostnameVerifier做到这一点?反应堆净值中有替代方法吗?

Is there a possibility to do it with the javax.net.ssl.HostnameVerifier? Is there an alternative approach in reactor netty?

这是我到目前为止所得到的:

This is what I've got so far:

WebClient.builder()
  .clientConnector(
    new ReactorClientHttpConnector(
      opt -> opt.sslContext(new JdkSslContext(mySSLContext, 
                      true, ClientAuth.OPTIONAL))))
  .build();

推荐答案

您应提供有效的证书颁发机构证书(trustManager())以及可选的用户证书，以及用于授权的私钥和私钥密码(keyManager()). 您的服务SSL证书应由您在trustManager()中定义的同一CA签名.

You should provide a valid certificate authority certificate (trustManager()) and optionally user cert with private key and private key password for authorization (keyManager()). Your service SSL certificate should be signed by the same CA that you've defined in trustManager().

将使用服务主机名自动验证主机名.如果不匹配，将抛出java.security.cert.CertificateException: No subject alternative names present异常.实际上，我找不到省略主机名验证的方法(不使用.trustManager(InsecureTrustManagerFactory.INSTANCE)省略整个SSL证书验证).

Hostnames are being verified automatically with service hostname. If there's not match java.security.cert.CertificateException: No subject alternative names present exception will be thrown. Actually I can't find a way to omit hostnames verification (without omitting whole SSL certificate verification by using .trustManager(InsecureTrustManagerFactory.INSTANCE)).

我已经在本地测试了此解决方案.我的Web服务正在本地计算机上运行，​​但其SSL证书仅包含DNS名称，而不包含IP地址. 因此，出于调试目的，我已将条目添加到主机文件，并将服务IP映射到正确的DNS名称.

I've tested this solution locally. My webservice is running on my local machine but its SSL certificate contains only DNS name, not the IP address. So for my debug purposes I've added entry to hosts file and mapped my service IP to proper DNS name.

SslContext sslContext = SslContextBuilder
        .forClient()
        .trustManager(new FileInputStream(caPath))
        .keyManager(
                new FileInputStream(userCertPath),
                new FileInputStream(userPrivateKeyPath),
                userPrivateKeyPassword
        )
        .build();

HttpClient httpClient = HttpClient.create()
        .secure(t -> t.sslContext(sslContext));

WebClient webClient = WebClient.builder()
        .clientConnector(new ReactorClientHttpConnector(httpClient))
        .build();

这篇关于使用spring-webflux WebClient的反应堆净值配置HostnameVerifier的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！