SSL verification depth

[Mark Grimes]

Back in JBOSS AS 6.4 before Undertow was introduced in 7, there was a way to modify SSL verification certificate depth in JBOSS web. (specifically "verify-depth").

In Undertow+Elytron, how does one now approach this for certificate chain issue testing? This capability does not appear to have transitioned to new model schema. It appears the only way your can affect certificate depth now is exclusively with CRLs via the trust-manager model object.

Are there other configuration settings that can be used for similar behavior for testing.

Otherwise, is Wildfly's SSL verification solely based on complete certificate chain and hostname verification? Would one be able to disable hostname verification for testing?

// Mark

[Sebastian Schnabl]

> Otherwise, is Wildfly's SSL verification solely based on complete certificate chain and hostname verification?

The cert verification should be mostly handled by the caller respective the framework you are using to access wildfly. E.g. wildflly-ejb-client API does not check cert's hostname,  java's http stack does the check. In Java you could override the default hostname verifier to accept any hostname:

     HttpsURLConnection.setDefaultHostnameVerifier((hostname, sslSession) -> true);

Sebastian