Hi folks,

I'm trying to overwrite default SSL configuration for Eureka Client using NoopHostnameVerifier but for some reason still trying to verify the hostname, anyone could help me on that please?

Followed code example from https://github.com/spring-cloud/spring-cloud-netflix/issues/1711#issuecomment-282340580

@Profile("prod")
@Configuration
class SslNoopHostnameVerifierConfiguration {

    @Value("${service.security.trustStorePath:/etc/ssl/truststore.jks}")
    private String trustStorePath;

    @Value("${service.security.trustStorePassword:changeit}")
    private String trustStorePassword;

    @Value("${service.security.trustStoreType:JKS}")
    private String trustStoreType;

    @Value("${server.port:8443}")
    private Integer serverPort;

    @Autowired
    EurekaClientConfig config;

    @Bean
    public DiscoveryClient.DiscoveryClientOptionalArgs getTrustStoredEurekaClient()
        throws Exception {
        final KeyStore trustStore = KeyStore.getInstance(trustStoreType);
        trustStore.load(new FileSystemResource(trustStorePath).getInputStream(), trustStorePassword.toCharArray());

        SSLConnectionSocketFactory systemSocketFactory = new SSLConnectionSocketFactory(
            SSLContexts
                .custom()
                .loadTrustMaterial(trustStore, new TrustSelfSignedStrategy())
                .build(),
            new NoopHostnameVerifier());

        SchemeRegistry sslSchemeRegistry = new SchemeRegistry();
        Scheme schema = new Scheme("https", serverPort, new SSLSocketFactoryAdapter(systemSocketFactory));
        sslSchemeRegistry.register(schema);
        String name = "Custom-Discovery-Client";
        MonitoredConnectionManager connectionManager = new MonitoredConnectionManager(name, sslSchemeRegistry);
        ClientConfig clientConfig = new DefaultClientConfig();
        clientConfig.getProperties().put(ApacheHttpClient4Config.PROPERTY_CONNECTION_MANAGER, connectionManager);

        DiscoveryJerseyProvider discoveryJerseyProvider = new DiscoveryJerseyProvider(
            CodecWrappers.getEncoder(config.getEncoderName()),
            CodecWrappers.resolveDecoder(config.getDecoderName(), config.getClientDataAccept()));

        clientConfig.getSingletons().add(discoveryJerseyProvider);

        DiscoveryClient.DiscoveryClientOptionalArgs clientOptionalArgs = new DiscoveryClient.DiscoveryClientOptionalArgs();
        clientOptionalArgs.setEurekaJerseyClient(new EurekaJerseyClientImpl(
            config.getEurekaServerConnectTimeoutSeconds() * 1000,
            config.getEurekaServerReadTimeoutSeconds() * 1000,
            config.getEurekaConnectionIdleTimeoutSeconds() * 1000,
            clientConfig));
        return clientOptionalArgs;
    }

}

Exception

com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLPeerUnverifiedException: Certificate for <localhost> doesn't match any of the subject alternative names: [www.spendingbetter.com, spendingbetter.com]
    at com.sun.jersey.client.apache4.ApacheHttpClient4Handler.handle(ApacheHttpClient4Handler.java:187) ~[jersey-apache-client4-1.19.1.jar:1.19.1]
    at com.netflix.eureka.cluster.DynamicGZIPContentEncodingFilter.handle(DynamicGZIPContentEncodingFilter.java:48) ~[eureka-core-1.9.8.jar:1.9.8]
    at com.netflix.discovery.EurekaIdentityHeaderFilter.handle(EurekaIdentityHeaderFilter.java:27) ~[eureka-client-1.9.8.jar:1.9.8]
    at com.sun.jersey.api.client.Client.handle(Client.java:652) ~[jersey-client-1.19.1.jar:1.19.1]
    at com.sun.jersey.api.client.WebResource.handle(WebResource.java:682) ~[jersey-client-1.19.1.jar:1.19.1]
    at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74) ~[jersey-client-1.19.1.jar:1.19.1]
    at com.sun.jersey.api.client.WebResource$Builder.post(WebResource.java:570) ~[jersey-client-1.19.1.jar:1.19.1]
    at com.netflix.eureka.transport.JerseyReplicationClient.submitBatchUpdates(JerseyReplicationClient.java:116) ~[eureka-core-1.9.8.jar:1.9.8]
    at com.netflix.eureka.cluster.ReplicationTaskProcessor.process(ReplicationTaskProcessor.java:80) ~[eureka-core-1.9.8.jar:1.9.8]
    at com.netflix.eureka.util.batcher.TaskExecutors$BatchWorkerRunnable.run(TaskExecutors.java:193) [eureka-core-1.9.8.jar:1.9.8]
    at java.lang.Thread.run(Thread.java:748) [na:1.8.0_212]

Version Spring Boot: 2.1.2.RELEASE Spring Cloud: Greenwich.RC2

Comment From: TYsewyn

AFAIS this isn't a service discovery issue but a peer replication/update issue. And if I'm not mistaken there is no way to bypass SSL verification between peers during replication.

Comment From: spencergibb

There's an open pr for customizing the jersey client for peer replication

Comment From: bberto

@spencergibb can you link the open pr you're referring to?

Comment From: spencergibb

https://github.com/Netflix/eureka/pull/1212

Comment From: bberto

Thanks. I think was then merged with #3572. However I think it doesn't relates to this issue, regarding SSL configuration on jersey client for peer replication.

The only workaround I found is declaring a bean that extends PeerEurekaNodes overriding createPeerEurekaNode(). In this way I can create my own JerseyReplicationClient with a client obtained from EurekaJerseyClientBuilder.withCustomSSL()

Comment From: spencergibb

We could add an extension point to allow a custom Producer<JerseyReplicationClient>

Comment From: rodrigorodrigues

Hi @spencergibb if I can help somehow it would be great, just need to know more details.

Comment From: spencergibb

If this constructor https://github.com/spring-cloud/spring-cloud-netflix/blob/master/spring-cloud-netflix-eureka-server/src/main/java/org/springframework/cloud/netflix/eureka/server/EurekaServerAutoConfiguration.java#L291 had an optional JerseyReplicationClient we could use it rather than construct our own.