The SSL verification fails even when setValidateCertificates was set to `false`

[ihor-sokoliuk-exa]

I have a Splunk server with self-signed certificates. And I am writing a Java Client to fetch logs from the Splunk server using the latest Splunk SDK lib (v1.9.3).

To connect to my test server, I use the next code line to ignore certificate validation:
Service.setValidateCertificates(false);

It works as a charm, there is no more self-signed certificate issue.

But another issue appeared after that.
HTTPS hostname wrong: should be <my splunk server IP>

I see in the Splunk SDK source code it is configured to verify hostnames:

splunk-sdk-java/splunk/src/main/java/com/splunk/HttpService.java

Lines 56 to 65 in 00cd195

	private static final HostnameVerifier HOSTNAME_VERIFIER = new HostnameVerifier() {
	public boolean verify(String s, SSLSession sslSession) {
	if (s.equals(HOSTNAME) || s.equals(HOSTIP)) {
	return true;
	} else {
	HostnameVerifier hv = HttpsURLConnection.getDefaultHostnameVerifier();
	return hv.verify(s, sslSession);
	}
	}
	};

Is it right to say that there is no way to influence that with any available public method because of this code line?

splunk-sdk-java/splunk/src/main/java/com/splunk/HttpService.java

Line 450 in 00cd195

((HttpsURLConnection) cn).setHostnameVerifier(HOSTNAME_VERIFIER);

If yes, is it possible to add a new method to the Splunk SDK to bypass the hostname verification?

Thank you!

[ashah-splunk]

Hi @ihor-sokoliuk-exa sorry for the delay in the response, but we have kept the hostname checks for security purpose. So to provide a way to influence the hostname verification will impact the security. We are working on a feature to enable passing a SSL certificate which I think would help with your use-case. Once we have the feature fully developed we will publish a new SDK release. Will update you once we have a new release.

[ihor-sokoliuk-exa]

Hi @ashah-splunk,

Thank you for your reply.

Is it possible to add the flag that turns off the hostname verification for debug purposes?

It often happens, when you need to test your code on a dev env, and security and self-signed certs are not the primary thing you are worried about.

[ihor-sokoliuk-exa]

@ashah-splunk There is a solution to that issue.

// Disable SSL certificate validation
HttpService.setValidateCertificates(false);

// Disable hostname verification
// This verification does not work with Splunk self-signed certificates
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
    public boolean verify(String hostname, javax.net.ssl.SSLSession sslSession) {
        return true;
    }
});

It turns off all checks for the server certificate, including the self-signed certs and hostname validation.
Add this code snippet before Service.connect(args) call.