Add tlsNoVerifyHosts to disable TLS verification for certain hosts

core/src/main/java/com/linecorp/armeria/client/ClientFactoryBuilder.java

@@ -254,6 +254,17 @@ public ClientFactoryBuilder tlsNoVerify() {
         return this;
     }
 
+    /**
+     * Disables the verification of server's key certificate chain for specific hosts.
+     * <strong>Note:</strong> You should never use this in production but only for a testing purpose.
+     *
+     * @see #tlsCustomizer(Consumer)
+     */
+    public ClientFactoryBuilder tlsNoVerifyHosts(String... insecureHosts) {
+        tlsCustomizer(b -> b.trustManager(IgnoreHostsTrustManager.of(insecureHosts)));
+        return this;
+    }
+
     /**
      * Adds the {@link Consumer} which can arbitrarily configure the {@link SslContextBuilder} that will be
      * applied to the SSL session. For example, use {@link SslContextBuilder#trustManager(TrustManagerFactory)}

core/src/main/java/com/linecorp/armeria/client/IgnoreHostsTrustManager.java

@@ -0,0 +1,115 @@
+/*
+ *  Copyright 2020 LINE Corporation
+ *
+ *  LINE Corporation licenses this file to you under the Apache License,
+ *  version 2.0 (the "License"); you may not use this file except in compliance
+ *  with the License. You may obtain a copy of the License at:
+ *
+ *    https://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ *  License for the specific language governing permissions and limitations
+ *  under the License.
+ */
+
+package com.linecorp.armeria.client;
+
+import static java.util.Objects.requireNonNull;
+
+import java.net.Socket;
+import java.security.GeneralSecurityException;
+import java.security.KeyStore;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.Set;
+
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509ExtendedTrustManager;
+
+import com.google.common.collect.ImmutableSet;
+
+/**
+ * An implementation of {@link X509ExtendedTrustManager} that skips verification on whitelisted hosts.
+ */
+final class IgnoreHostsTrustManager extends X509ExtendedTrustManager {
+
+    private final X509ExtendedTrustManager delegate;
+    private final Set<String> insecureHosts;
+
+    IgnoreHostsTrustManager(X509ExtendedTrustManager delegate, Set<String> insecureHosts) {
+        this.delegate = delegate;
+        this.insecureHosts = insecureHosts;
+    }
+
+    /**
+     * Returns new {@link IgnoreHostsTrustManager} instance.
+     */
+    static IgnoreHostsTrustManager of(String... insecureHosts) {
+        X509ExtendedTrustManager delegate = null;
+        try {
+            final TrustManagerFactory trustManagerFactory = TrustManagerFactory
+                    .getInstance(TrustManagerFactory.getDefaultAlgorithm());
+            trustManagerFactory.init((KeyStore) null);
+            final TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
+            for (TrustManager tm : trustManagers) {
+                if (tm instanceof X509ExtendedTrustManager) {
+                    delegate = (X509ExtendedTrustManager) tm;
+                    break;
+                }
+            }
+        } catch (GeneralSecurityException ignored) {
+            // ignore
+        }
+        requireNonNull(delegate, "cannot resolve default trust manager");
+        return new IgnoreHostsTrustManager(delegate, ImmutableSet.copyOf(insecureHosts));
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] x509Certificates, String s, Socket socket)
+            throws CertificateException {
+        if (!insecureHosts.contains(socket.getInetAddress().getHostName())) {
+            delegate.checkServerTrusted(x509Certificates, s, socket);
+        }
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] x509Certificates, String s, SSLEngine sslEngine)
+            throws CertificateException {
+        if (!insecureHosts.contains(sslEngine.getPeerHost())) {
+            delegate.checkServerTrusted(x509Certificates, s, sslEngine);
+        }
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] x509Certificates, String s)
+            throws CertificateException {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public void checkClientTrusted(X509Certificate[] x509Certificates, String s, Socket socket)
+            throws CertificateException {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public void checkClientTrusted(X509Certificate[] x509Certificates, String s, SSLEngine sslEngine)
+            throws CertificateException {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public void checkClientTrusted(X509Certificate[] x509Certificates, String s)
+            throws CertificateException {
+        throw new UnsupportedOperationException();
+    }
+
+    @Override
+    public X509Certificate[] getAcceptedIssuers() {
+        return delegate.getAcceptedIssuers();
+    }
+}

core/src/test/java/com/linecorp/armeria/client/HttpClientSniTest.java

@@ -17,6 +17,7 @@
 package com.linecorp.armeria.client;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
 
 import java.security.cert.X509Certificate;
 import java.util.concurrent.CompletableFuture;
@@ -115,17 +116,6 @@ private static void testMismatch(String fqdn) throws Exception {
         assertThat(get(fqdn)).isEqualTo("b.com: CN=b.com");
     }
 
-    private static String get(String fqdn) throws Exception {
-        final WebClient client = WebClient.builder("https://" + fqdn + ':' + httpsPort)
-                                          .factory(clientFactory)
-                                          .build();
-
-        final AggregatedHttpResponse response = client.get("/").aggregate().get();
-
-        assertThat(response.status()).isEqualTo(HttpStatus.OK);
-        return response.contentUtf8();
-    }
-
     @Test
     void testCustomAuthority() throws Exception {
         final WebClient client = WebClient.builder(SessionProtocol.HTTPS,
@@ -152,6 +142,40 @@ void testCustomAuthorityWithAdditionalHeaders() throws Exception {
         }
     }
 
+    @Test
+    void testTlsNoVerifyHosts() throws Exception {
+        try (ClientFactory clientFactoryIgnoreHosts = ClientFactory.builder()
+                .tlsNoVerifyHosts("a.com", "b.com")
+                .addressResolverGroupFactory(group -> MockAddressResolverGroup.localhost())
+                .build()) {
+            assertThat(get("a.com", clientFactoryIgnoreHosts)).isEqualTo("a.com: CN=a.com");
+            assertThatThrownBy(() -> get("c.com", clientFactoryIgnoreHosts))
+                    .hasStackTraceContaining("javax.net.ssl.SSLHandshakeException");
+        }
+    }
+
+    private static String get(String fqdn) throws Exception {
+        final WebClient client = WebClient.builder("https://" + fqdn + ':' + httpsPort)
+                .factory(clientFactory)
+                .build();
+
+        final AggregatedHttpResponse response = client.get("/").aggregate().get();
+
+        assertThat(response.status()).isEqualTo(HttpStatus.OK);
+        return response.contentUtf8();
+    }
+
+    private static String get(String fqdn, ClientFactory clientFactory) throws Exception {
+        final WebClient client = WebClient.builder("https://" + fqdn + ':' + httpsPort)
+                .factory(clientFactory)
+                .build();
+
+        final AggregatedHttpResponse response = client.get("/").aggregate().get();
+
+        assertThat(response.status()).isEqualTo(HttpStatus.OK);
+        return response.contentUtf8();
+    }
+
     private static class SniTestService extends AbstractHttpService {
 
         private final String domainName;