ssl-config
ssl-config copied to clipboard
lightbend
Remove acceptAnyCertificate and disableHostnameVerification
These options are carried over from the Play 1 implementation -- they disable the core of TLS, so they shouldn't be available.
I think the capability should stay. There are use-cases where you go through https:// and self-signed certificates are used. Those are not available in cacerts and it's complex to add the key-chains.
It should be to the developer to be able to provide weakSsl in his app, in order to allow weakSSL
Overall I'd like in adition to DisabledComplainingHostnameVerifier to have a DisableSilentlyHostnameVerifier so that it does not emit any logs
Given that will have in the logs + UI Weak SSL is enabled.. read more.. i'd like to be able to keep log files clean of any logs.
These options should be available, there can be genuine cases, where people might need it. Recently I needed this where I have to talk to an internal service, which was using self-signed cert. However not sure why, even after using these options, I could not make it work.(details here).
A self signed certificate is not the same as accepting any certificate. You should add the cert to the trust store as one of your trust anchors.
and it's complex to add the key-chains.
you can use whatever trust store you like, or even a combination of trust stores falling back to cacert
- https://lightbend.github.io/ssl-config/KeyStores.html#configuring-a-trust-manager
and there are step by step guides on how to set up certificates with explicit command line instructions on every stage.
https://lightbend.github.io/ssl-config/CertificateGeneration.html
Again, the problem is not that it can't be done -- using a self signed certificate without enabling this feature is completely possible and practical.. Having this option means that it's possible to not configure it correctly -- that doesn't mean that not configuring it correctly is the right thing to do, or that it can't be configured correctly.