question

Upvotes
Accepted
1 0 1 1

Disable TLS certificate verification after EMA 3.5 to 3.6.1 upgrade (Java)

We are using EMA with the RRT Optimized AWS endpoints. As such, the servers that we are trying to connect to appear to lie in our own network, and we have custom hostnames/IP addresses - but the actual servers are hosted by Refinitiv in Singapore.

We recently upgraded from EMA 3.5 to 3.6.1 (Java) to find we see the following error. It seems that the new EMA API is attempting to verify the TLS certificate hostname. This will naturally fail in an AWS endpoint scenario because we won't be using the Refinitiv hostname.

When we connect to the internal IP address, we see a certificate issued to 'apac-1-t1.streaming-pricing-api.refinitiv.com'.

We would like to disable TLS certificate verification (or at least the hostname verification). Although this is normally extremely reckless, because we are using an AWS endpoint, we know that the communication is not going to be subject to MITM attacks.

Here is the error we see in our logs. The presence of 'subject alternative DNS name' is proof that the problem is because of the TLS certificate verification.

Please help us to investigate why we saw this regression moving from EMA 3.5 to EMA 3.6.1 and let us know how we can address it (example: registering our own Java trust manager, or otherwise setting an option to disable the verification that EMA is passing to its HTTP client library.

[18:53:31,908] WARN [our process] main - loggerMsg

ClientName: ChannelCallbackClient

Severity: Warning

Text: Received ChannelDownReconnecting event on channel Channel_1

RsslReactor @6574a52c

RsslChannel @6c1a5b54

Error Id 0

Internal sysError 0

Error Location Reactor.processWorkerEvent

Error text Error initializing channel: errorId=-1 text=No subject alternative DNS name matching our-hostname.our-domain.com found.

loggerMsgEnd

elektronrefinitiv-realtimeelektron-sdkrrtema-apielektron-message-api
icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Upvote
Accepted
20.3k 73 10 20

Hi @kohei.miyazawa

W do not recommend the disabling of TLS certificate validation - as we consider this to be highly un-secure. The recommendation is for you to create a private DNS entry so that something like ‘apac-1-t1.streaming-pricing-api.refinitiv.com (the RRT Optimized endpoint) resolves to ‘abcd.privatelink.efgh.com’ (your private link).

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Upvotes
38.1k 71 35 53

@kohei.miyazawa

I found that the code has been changed in the Refinitiv Real-Time SDK 3.6.

sslParameters.setEndpointIdentificationAlgorithm(ENDPOINT_IDENTIFICATION_ALGORITHM); 

I couldn't find this line in the 3.5 version.

When I remove this line, the application can connect to the server properly without the "No subject alternative DNS name matching xxx found" error.

I couldn't find an option used to disable this feature in the Refinitv Real-Time SDK.

Therefore, you can build your own library by removing that line. Otherwise, you can raise an issue in GitHub to provide a parameter to turn off this feature.

icon clock
10 |1500

Up to 2 attachments (including images) can be used with a maximum of 5.0 MiB each and 10.0 MiB total.

Click below to post an Idea Post Idea