Skip only hostname verification with Apache HttpClient

Question

I need to skip hostname verification with httpclient 4.2.1 without changing the trustmanager. I archived this like this:

    httpClient = new DefaultHttpClient(a, b);
    SSLSocketFactory socketFactory = (SSLSocketFactory) httpClient.getConnectionManager().getSchemeRegistry().get("https").getSchemeSocketFactory();
    socketFactory.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);

... but setHostnameVerifier method i used is deprecated. How can i achieve the same thing with using not deprecated methods?

Answer 1

As previous people have said you should only do this when you have a very good reason to do so. I also have closed testing environments and I only disable Hostname Verification when it is absolutely needed. The only place it is disabled is in the application running tests never in an application that would be deployed to user facing servers.

This can be accomplished by quickly implementing your own HostnameVerifier.

SSLContext sslContext = SSLContext.getDefault();
HostnameVerifier allowAll = new HostnameVerifier() {
    @Override
    public boolean verify(String hostName, SSLSession session) {
        return true;
    }
};
Registry<ConnectionSocketFactory> socketFactoryRegistry = RegistryBuilder.<ConnectionSocketFactory>create()
    .register("https", new SSLConnectionSocketFactory(sslContext, allowAll))
    .build();
PoolingHttpClientConnectionManager cm = new PoolingHttpClientConnectionManager(socketFactoryRegistry);

Answer 2

Try to use SSLConnectionSocketFactory instead of SSLSocketFactory , because SSLSocketFactory is depricated

Answer 3

DON'T DO THIS!!!

As explained to you at https://stackoverflow.com/a/29547114/3081018 already this is a very bad idea and effectively disables all validation, because an attacker then could use any certificate for some other host to mount a man-in-the-middle attack.

It does not get more secure you ask the same question again.