Grpc-java: How to skip host name validation with the OkHTTP channel

Created on 2 Sep 2020  路  3Comments  路  Source: grpc/grpc-java

Hello,

I'm porting my gRPC client from the Netty channel to OkHTTP so I can use it on Android. This client is connecting to a gRPC server over TLS, but the server is on a private network and uses a self-signed certificate. In Netty, I can do the following have the host name verification disabled:

GrpcSslContexts.forClient()
            .trustManager(InsecureTrustManagerFactory.INSTANCE)
            .build()

That'll give me an SSL context that I can pass to NettyChannelBuilder.forAddress(...).useTransportSecurity()..sslContext(insecureTlsContext). How can I do something like this with the OkHTTP channel?

I've managed to get something to work by cheating and using Netty's InsecureTrustManagerFactory.INSTANCE, but it doesn't make sense to have the Netty channel as a dependency just for this. Also, I read on SECURITY.md that it's a bad idea to have both.

question

All 3 comments

This client is connecting to a gRPC server over TLS, but the server is on a private network and uses a self-signed certificate.

You can use ManagedChannelBuilder#overrideAuthority for self-signed certificate. Bypassing hostname verification completely makes TLS provide no value and you should just use plaintext.

You can also see a complete example of configuring a test cert in our Android interop client here

Thank you both for the pointers! :+1:

Was this page helpful?
0 / 5 - 0 ratings

Related issues

scottslewis picture scottslewis  路  21Comments

mwitkow picture mwitkow  路  21Comments

ejona86 picture ejona86  路  17Comments

vlsinitsyn picture vlsinitsyn  路  42Comments

Randgalt picture Randgalt  路  15Comments