How does the sslvch option of SDKPerf work

yangsen
yangsen Member, Employee Posts: 22 Solace Employee

In the newer version of SDKPerf, such as sdkperf-jcsmp-8.4.5.19, sdkperf-jms-8.4.6.5. There is an option "sslvch", the description is "Enable validation of certificate hostname". How does the validation work? and what is the expected out put when this option is applied?

I tried different combinations, but didn't see any difference no matter this option is applied or not. for example, the hostname of my server is set to "server1", and the CN/SAN of the server certificate is set to "mydomain.com". SDKPerf will still work without error, even when sslvch is applied.

Answers

  • marc
    marc Member, Administrator, Moderator, Employee Posts: 914 admin

    Hi @yangsen,

    I asked some folks internally and the info I got back is that sdkperf simply sets the SSL_VALIDATE_CERTIFICATE_HOST value to true in JCSMP when that argument is provided.

    From https://docs.solace.com/API-Developer-Online-Ref-Documentation/java/com/solacesystems/jcsmp/JCSMPProperties.html

    Session property to indicate if the session connection should fail when a certificate with an invalid host is received. When enabled (by default), and connecting to a named host, the certificate Subject Alternative Name must contain a DNS entry that matches the host string. When enabled, and connecting to a host by IP address, the certificate Subject Alternative Name must contain an IP Address that matches. If there is no Subject Alternate Name the certificate Common Name (CN) must match the named host.
    
    This property has effect only when SSL_VALIDATE_CERTIFICATE property is enabled/set to true
    
    Disabling of this property IS NOT RECOMMENDED
    

    Which likely means -sslvc must also be provided for -sslvch to have an effect.

    See if that works for you!