Can`t use an ip address in the 'new ApnsClientBuilder().setApnsServer' method.

[keepbang]

I got a list of ip addresses from 'api.push.apple.com'

So I wrote the code like below.

ApnsClient apnsClient = new ApnsClientBuilder()
                    .setApnsServer('17.188.180.78',443)
                    .setClientCredentials(new File("/certificate.p12"), "password")
                    .build();

SimpleApnsPushNotification pushNotification = new SimpleApnsPushNotification(token, topic, payload);
PushNotificationFuture<SimpleApnsPushNotification, PushNotificationResponse<SimpleApnsPushNotification>> sendNotificationFuture = apnsClient.sendNotification(pushNotification);
PushNotificationResponse<SimpleApnsPushNotification> notificationResponse = sendNotificationFuture.get();

but this code throws SSLHandshakeException.

io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address 17.188.180.78 found

How to use IP address?

[jchambers]

How to use IP address?

Generally speaking, you can't.

While it might be technically possible to hack things such that you'll wind up with code that "works," it would be brittle and involve some significant security compromises. There are a few issues at play here:

1. X.509 certificates have a "subject name," which in practice says which domain they'll work with. In particular, the subject for the APNs certificate is subject=/CN=api.push.apple.com/OU=management:idms.group.887777/O=Apple Inc./ST=California/C=US, which means clients should only trust it for api.push.apple.com; if you're connecting by IP, clients will check to see if the certificate's subject explicitly names that IP (which it doesn't).
2. IPs for APNs server change constantly. Apple is frequently adding new servers, removing old ones, and shuffling IPs around as servers need maintenance or get updated. Hard-coding an IP is unlikely to work for any extended amount of time.

Can you say more about why you want to do this? Why not just connect to api.push.apple.com?

[keepbang]

I think if you try to connect to api.push.apple.com often, the IP you want to connect to will be blocked.
So I'm going to connect with the ip list that came out by doing the dns query for each connection.

If I connect to api.push.apple.com, will it automatically load balancing and send a message?

[jchambers]

I think if you try to connect to api.push.apple.com often, the IP you want to connect to will be blocked.

I'm sorry; I don't think I understand the concern. Can you rephrase?

I think you mean that you're concerned that Apple will add you to some kind of "prohibited list" and block connections if you connect too often. I'm honestly not sure if that will happen at all, and it should certainly never happen under normal operating conditions if you're following best practices like treating clients as long-lived resources. Even if there were such a system in place, I highly doubt that connecting by IP would be a viable workaround (and wouldn't be something we'd want to support in Pushy anyhow).

If I connect to api.push.apple.com, will it automatically load balancing and send a message?

Yes. Unless you're using a proxy, Pushy will use a round-robin DNS resolver, which will distribute connections across all known APNs servers:

pushy/pushy/src/main/java/com/eatthepath/pushy/apns/ApnsChannelFactory.java

Lines 85 to 87 in 0e74879

	this.addressResolverGroup = new RoundRobinDnsAddressResolverGroup(
	ClientChannelClassUtil.getDatagramChannelClass(eventLoopGroup),
	DefaultDnsServerAddressStreamProvider.INSTANCE);

In essence, Pushy is already doing exactly what you're describing: it gets the list of IP addresses associated with api.push.apple.com and balances connections across those IP addresses.