Add insecureSkipHostnameVerify support to FFI-based SDKs #1170
Description
Add insecureSkipHostnameVerify Support to FFI-Based SDKs
Background
We recently fixed TLS self-signed certificate support in the Java SDK (v1.1.1-rc.7) by adding the insecureSkipHostnameVerify option to the TlsConfig class. This option allows users to skip hostname verification while still validating the certificate chain, which is essential for self-signed certificates that don't have proper Subject Alternative Names (SAN) entries.
The underlying FFI engine already supports this option (added in commits a8116b8 and a29a584), but the client SDKs need to be updated to expose this configuration option to users.
Problem Statement
Self-signed certificates often don't include proper Subject Alternative Names (SAN) that match the hostname you're connecting to. When TLS hostname verification checks that the hostname in the connection URL matches one of the names in the certificate's SAN field, it fails even though the certificate itself is valid and trusted through custom CA configuration.
Solution
Add insecureSkipHostnameVerify field to the TlsConfig classes in all FFI-based SDKs and update any builder patterns to support this option.
Implementation Checklist
✅ Completed
- Java SDK - Added in v1.1.1-rc.7 with builder pattern support
🔄 Remaining FFI-Based SDKs
-
Python SDK (
flipt-client-python)- Add
insecure_skip_hostname_verifyfield toTlsConfigclass inflipt_client/models.py - Update field validation and serialization
- Update README with usage examples
- Create new release
- Add
-
Ruby SDK (
flipt-client-ruby)- Add
insecure_skip_hostname_verifyfield toTlsConfigclass inlib/flipt_client/models.rb - Update
initializemethod parameters - Update
to_hmethod for JSON serialization - Update README with usage examples
- Create new release
- Add
-
C# SDK (
flipt-client-csharp)- Add
InsecureSkipHostnameVerifyproperty toTlsConfigclass insrc/FliptClient/Models/TlsConfig.cs - Add JSON serialization attributes
- Update README with usage examples
- Create new release
- Add
-
Dart SDK (
flipt-client-dart)- Add
insecureSkipHostnameVerifyfield toTlsConfigclass inlib/src/models.dart - Update constructor parameters
- Update JSON serialization methods
- Update README with usage examples
- Create new release
- Add
-
Swift SDK (
flipt-client-swift)- Create
TlsConfigclass in Swift (currently missing TLS support entirely) - Add
insecureSkipHostnameVerifyfield - Update
FliptClientto accept TLS configuration - Update client options serialization
- Update README with usage examples
- Create new release
- Create
-
Kotlin Android SDK (
flipt-client-kotlin-android)- Create
TlsConfigclass in Kotlin (currently missing TLS support entirely) - Add
insecureSkipHostnameVerifyfield - Add to
ClientOptionsclass - Update serialization
- Update README with usage examples
- Create new release
- Create
Implementation Notes
Field Naming Convention
- Java/Kotlin:
insecureSkipHostnameVerify(camelCase) - Python:
insecure_skip_hostname_verify(snake_case) - Ruby:
insecure_skip_hostname_verify(snake_case) - C#:
InsecureSkipHostnameVerify(PascalCase) - Dart:
insecureSkipHostnameVerify(camelCase) - Swift:
insecureSkipHostnameVerify(camelCase)
JSON Serialization
All SDKs should serialize this field as "insecure_skip_hostname_verify" in JSON to match the FFI engine's expected format.
Documentation Template
Each SDK should include usage examples like:
// Configuration for self-signed certificates with hostname mismatch
TlsConfig tlsConfig = TlsConfig.builder()
.caCertFile("/path/to/ca.pem")
.insecureSkipHostnameVerify(true) // Skip hostname verification only
.build();
Testing
- Add integration tests for the new field
- Test with actual self-signed certificates
- Verify JSON serialization works correctly
- Test with various hostname scenarios
Related Issues/PRs
- Original issue: https://github.com/orgs/flipt-io/discussions/4366
- Java SDK implementation: commit a8116b8 and a29a584
- FFI engine support: Already implemented in
flipt-engine-ffi/src/tls.rs