powered by Jive Software

What does TLSUtils.acceptAllCertificates do exactly?

I small question. Does this setting only accepts self-signed certificates or does it also accepts expired or other malformed certificates? Obviously it doesn’t accepts certificates with mismatching hostname. Need to clarify that to name settings in Spark correctly.

tl;dr: It does trust all certificates. But hostname verification, i.e. if the certificate presented is valid for a “hostname” (the service actually) is, by design of TLS and newer Java’s TLS API, done somewhere else. So in order to really simply accept all certificates no matter what (something which you shouldn’t do), you also have to install an “accept all” HostnameVerifier.

Thanks. Yes, hostname verification is disabled via TLSUtils.disableHostnameVerificationForTlsCertificicates. I understand that any automatic acceptance shouldn’t be an option. But Spark doesn’t have any mechanism for accepting individual certificates. Using a self-signed certificate is fine in a closed safe environment and many are doing this (especially when Openfire automatically provides them). We have already grown a user base of bad servers installations as older Smack\Spark versions allowed any certificate and hostname mismatching. It won’t be nice to just dump those users. At least hostname verifier is not disabled by default. And i’m going to make acceptallcerts option disabled by default for the next version of Spark.