diff --git a/proxy/src/main/java/com/velocitypowered/proxy/network/http/NettyHttpClient.java b/proxy/src/main/java/com/velocitypowered/proxy/network/http/NettyHttpClient.java index 4b667ae86..3859aefbb 100644 --- a/proxy/src/main/java/com/velocitypowered/proxy/network/http/NettyHttpClient.java +++ b/proxy/src/main/java/com/velocitypowered/proxy/network/http/NettyHttpClient.java @@ -53,8 +53,14 @@ public class NettyHttpClient { @Override public void channelCreated(Channel channel) throws Exception { if (key.getPort() == 443) { - SslContext context = SslContextBuilder.forClient().build(); - SSLEngine engine = context.newEngine(channel.alloc()); + SslContext context = SslContextBuilder.forClient().protocols("TLSv1.2").build(); + // Unbelievably, Java doesn't automatically check the CN to make sure we're talking + // to the right host! Therefore, we provide the intended host name and port, along + // with asking Java very nicely if it could check the hostname in the certificate + // for us. + SSLEngine engine = context.newEngine(channel.alloc(), key.getHostString(), + key.getPort()); + engine.getSSLParameters().setEndpointIdentificationAlgorithm("HTTPS"); channel.pipeline().addLast("ssl", new SslHandler(engine)); } channel.pipeline().addLast("http", new HttpClientCodec());