Disable hostname verification for NettyChannelBuilder

[shank9918]

Please answer these questions before submitting your issue.

What version of gRPC are you using?

1.3.0

What JVM are you using (java -version)?

java version "1.8.0_73"
Java(TM) SE Runtime Environment (build 1.8.0_73-b02)
Java HotSpot(TM) 64-Bit Server VM (build 25.73-b02, mixed mode)

What did you do?

If possible, provide a recipe for reproducing the error.
Using certificated with

What did you expect to see?

Need some mechanism to disable hostname verification during SSL handshake.

What did you see instead?

We are using certificates having generic CommonName which doesn't reflect the hostname. And hence the hostname verification fails.

[ejona86]

We purposefully do not expose an (easy) way to disable hostname verification as it disables an important security feature. Instead, generally you can call channelBuilder.overrideAuthority(String commonName) to set the "hostname" you expect. In this case, it would be the "generic CommonName" you mentioned.

overrideAuthority is functionally similar to adding the hostname to /etc/hosts, except the hostname isn't used at all for the DNS lookup.

[shotahino]

@ejona86 What should we do when the common name is not known? Could you please provide an example of how to disable hostname verification? Please see #3880

[ejona86]

Disabling hostname verification disables an essential part of authentication, and disabling it permits man-in-the-middle attacks. So the answer is generally "don't do that."

[Ahhmyface]

@ejona86 There's still value to using certificates even if they can't provide strict authentication. eg. Encryption and post-cert-install detection of a server change. Better than using setPlainText(true) (which has been exposed) wouldn't you say?