Skip to content

fix: skip TLS hostname verification when rejectUnauthorized=false#86

Open
wyattmog wants to merge 1 commit into
Mapepire-IBMi:mainfrom
wyattmog:fix/reject-unauthorized-skip-hostname-verification
Open

fix: skip TLS hostname verification when rejectUnauthorized=false#86
wyattmog wants to merge 1 commit into
Mapepire-IBMi:mainfrom
wyattmog:fix/reject-unauthorized-skip-hostname-verification

Conversation

@wyattmog

@wyattmog wyattmog commented Jul 6, 2026

Copy link
Copy Markdown

Related to ibmi-mcp-server-lite#17

rejectUnauthorized=false now skips TLS hostname verification in addition to certificate chain validation. motivated by TLS hostname verification in ibmi-mcp-server-lite: users setting ignore-unauthorized: true expect full TLS relaxation during development/self-signed cert scenarios, but connections still failed with No subject alternative names matching ... when the connect host did not match the Mapepire certificate SAN (DNS alias, loopback name, or IP).

Changes

  • Updated: SqlJob - override onSetSSLParameters on the WebSocketClient in getChannel(); when rejectUnauthorized=false, clear endpointIdentificationAlgorithm; when true (default), call super.onSetSSLParameters() so HTTPS hostname verification stays enabled
  • Updated: ConnectTest - rejectUnauthorizedFalseConnectsWhenCertificateDoesNotMatchHost (connect via resolved IP with rejectUnauthorized=false; expects success)
  • Updated: ConnectTest - rejectUnauthorizedTrueFailsWhenCertificateDoesNotMatchHost (same SAN mismatch with rejectUnauthorized=true + pinned CA; expects hostname verification failure)

Testing

# Reproduction / fix verification (requires config.properties + reachable IBM i)
mvn test '-Dtest=ConnectTest#rejectUnauthorizedFalseConnectsWhenCertificateDoesNotMatchHost'
mvn test '-Dtest=ConnectTest#rejectUnauthorizedTrueFailsWhenCertificateDoesNotMatchHost'

rejectUnauthorized=false already skipped certificate chain validation but Java-WebSocket still enabled HTTPS endpoint identification, causing SAN mismatches to fail. overrides onSetSSLParameters to clear endpoint identification when rejectUnauthorized is false

Signed-off-by: Wyatt Mogelson <wyattmog@icloud.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant