Host name verification off is not necessarily bad #28437

akka-docs/src/main/paradox/remoting-artery.md

@@ -333,6 +333,8 @@ It's recommended that you enable hostname verification with
 `akka.remote.artery.ssl.config-ssl-engine.hostname-verification=on`.
 When enabled it will verify that the destination hostname matches the hostname in the peer's certificate.
 
+In deployments where hostnames are dynamic and not known up front it can make sense to leave the hostname verification off.
+
 You have a few choices how to set up certificates and hostname verification:
 
 * Have a single set of keys and a single certificate for all nodes and *disable* hostname checking

akka-remote/src/main/resources/reference.conf

@@ -1158,6 +1158,9 @@ akka {
           require-mutual-authentication = on
 
           # Set this to `on` to verify hostnames with sun.security.util.HostnameChecker
+          # If possible it is recommended to have this enabled. Hostname verification is designed for
+          # situations where things locate each other by hostname, in scenarios where host names are dynamic
+          # and not known up front it can make sense to have this disabled.
           hostname-verification = off
         }
 

akka-remote/src/main/scala/akka/remote/artery/tcp/SSLEngineProvider.scala

@@ -88,12 +88,9 @@ class ConfigSSLEngineProvider(protected val config: Config, protected val log: M
     if (HostnameVerification)
       log.debug("TLS/SSL hostname verification is enabled.")
     else
-      log.warning(
+      log.info(
         LogMarker.Security,
-        "TLS/SSL hostname verification is disabled. " +
-        "Please configure akka.remote.artery.ssl.config-ssl-engine.hostname-verification=on " +
-        "and ensure the X.509 certificate on the host is correct to remove this warning. " +
-        "See Akka reference documentation for more information.")
+        "TLS/SSL hostname verification is disabled. See Akka reference documentation for more information.")
 
     constructContext()
   }