Spring Cloud Openfeign For hc5 hostname verification disable-ssl-validation does not turn off hostname verification

When using feignclient with option disable-ssl-validation: true and hc5 enabled, hostnameverification is not turned off like it is when using httpclient4.

We use option disable-ssl-validation often for local development or testing. Is it possible to deactivate hostname verification for feignclient/hc5 by configuration somehow?

My configuration (application.yml):

feign:
  httpclient:
    disable-ssl-validation: true
    hc5:
      enabled: true

Exception I retrieve:

2021-11-10 23:13:25.968 DEBUG 91492 --- [           main] u.c.RestControllerApiClient : [RestControllerApiClient#retrieveSomethingUsingPOST] ---> END HTTP (178-byte body)
2021-11-10 23:13:26.133 DEBUG 91492 --- [           main] u.c.RestControllerApiClient : [RestControllerApiClient#retrieveSomethingUsingPOST] <--- ERROR SSLHandshakeException: No name matching localhost found (164ms)
2021-11-10 23:13:26.134 DEBUG 91492 --- [           main] u.c.RestControllerApiClient : [RestControllerApiClient#retrieveSomethingUsingPOST] javax.net.ssl.SSLHandshakeException: No name matching localhost found
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:349)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:292)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:287)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
    at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
    at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1426)
    at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1336)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:450)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:421)
    at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:572)
    at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:197)
    at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1367)
    at java.base/sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1342)
    at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:246)
    at feign.Client$Default.convertAndSend(Client.java:202)
    at feign.Client$Default.execute(Client.java:103)
    at feign.SynchronousMethodHandler.executeAndDecode(SynchronousMethodHandler.java:119)
    at feign.SynchronousMethodHandler.invoke(SynchronousMethodHandler.java:89)
    at feign.ReflectiveFeign$FeignInvocationHandler.invoke(ReflectiveFeign.java:100)
    at com.sun.proxy.$Proxy216.retrievePersonProfileUsingPOST(Unknown Source)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:566)
    at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:344)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:198)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
    at org.springframework.validation.beanvalidation.MethodValidationInterceptor.invoke(MethodValidationInterceptor.java:123)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
    at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:215)
    at com.sun.proxy.$Proxy217.retrieveSomethingUsingPOST(Unknown Source)
...
Caused by: java.security.cert.CertificateException: No name matching localhost found
    at java.base/sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:234)
    at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:103)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:429)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
    ... 100 more

Comment From: OlgaMaciaszek

@bertoltmeier If it does not work, it's a bug. Could you please provide a minimal, complete, verifiable example that reproduces the issue? Will verify it then.

Comment From: bertoltmeier

@OlgaMaciaszek The problem occurs when an API endpoint is accessed with different server name compared to the ones stated in the server certificate. This is a common challenge in development or test setups for developers, e.g. when accessing servers via ssh tunnel from localhost).

In above case, ssl validation is turned off. Still the request fails, because hostname verification fails (i.e. localhost is not equal to the intended server name). Of course, ssl validation and hostname verification is not the same, but I cannot remember a single case in my career in which I wanted to turn off ssl validation but still verify the hostname. :)

I'll try to set up an example.

Comment From: OlgaMaciaszek

@bertoltmeier thanks, for providing more details. Once you've provided a sample, we'll verify the problem and provide a fix if appropriate.

Comment From: spring-cloud-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: spring-cloud-issues

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.