apupier commented on code in PR #23924:
URL: https://github.com/apache/camel/pull/23924#discussion_r3401368456
##########
components/camel-http/src/main/java/org/apache/camel/component/http/HttpComponent.java:
##########
@@ -604,14 +606,18 @@ protected TlsSocketStrategy createTlsStrategy(
HostnameVerifier x509HostnameVerifier,
SSLContextParameters sslContextParams, boolean useSystemProperties)
throws GeneralSecurityException, IOException {
- // create the TLS strategy to use
- if (sslContextParams != null) {
- return new
DefaultClientTlsStrategy(sslContextParams.createSSLContext(getCamelContext()),
x509HostnameVerifier);
- } else {
- return new DefaultClientTlsStrategy(
- useSystemProperties ? SSLContexts.createSystemDefault() :
SSLContexts.createDefault(),
- x509HostnameVerifier);
- }
+ SSLContext sslContext = sslContextParams != null
+ ? sslContextParams.createSSLContext(getCamelContext())
+ : (useSystemProperties ? SSLContexts.createSystemDefault() :
SSLContexts.createDefault());
+ // httpclient 5.6 changed DefaultClientTlsStrategy to use BOTH policy
by default,
+ // which enables the JDK built-in hostname check via SSLParameters in
addition to the
+ // custom verifier. Use CLIENT so only the configured verifier decides
— this restores
+ // the 5.5.2 behavior where NoopHostnameVerifier actually disables
verification.
+ return ClientTlsStrategyBuilder.create()
+ .setSslContext(sslContext)
+ .setHostnameVerifier(x509HostnameVerifier)
+ .setHostVerificationPolicy(HostnameVerificationPolicy.CLIENT)
+ .buildClassic();
Review Comment:
sounds the 5.6 behavior is a more secure one. So Im' not sure that it is a
good idea to revert to the 5.5.2 behavior
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
