Croway commented on code in PR #23924:
URL: https://github.com/apache/camel/pull/23924#discussion_r3401820207
##########
components/camel-http/src/main/java/org/apache/camel/component/http/HttpComponent.java:
##########
@@ -604,14 +606,18 @@ protected TlsSocketStrategy createTlsStrategy(
HostnameVerifier x509HostnameVerifier,
SSLContextParameters sslContextParams, boolean useSystemProperties)
throws GeneralSecurityException, IOException {
- // create the TLS strategy to use
- if (sslContextParams != null) {
- return new
DefaultClientTlsStrategy(sslContextParams.createSSLContext(getCamelContext()),
x509HostnameVerifier);
- } else {
- return new DefaultClientTlsStrategy(
- useSystemProperties ? SSLContexts.createSystemDefault() :
SSLContexts.createDefault(),
- x509HostnameVerifier);
- }
+ SSLContext sslContext = sslContextParams != null
+ ? sslContextParams.createSSLContext(getCamelContext())
+ : (useSystemProperties ? SSLContexts.createSystemDefault() :
SSLContexts.createDefault());
+ // httpclient 5.6 changed DefaultClientTlsStrategy to use BOTH policy
by default,
+ // which enables the JDK built-in hostname check via SSLParameters in
addition to the
+ // custom verifier. Use CLIENT so only the configured verifier decides
— this restores
+ // the 5.5.2 behavior where NoopHostnameVerifier actually disables
verification.
+ return ClientTlsStrategyBuilder.create()
+ .setSslContext(sslContext)
+ .setHostnameVerifier(x509HostnameVerifier)
+ .setHostVerificationPolicy(HostnameVerificationPolicy.CLIENT)
+ .buildClassic();
Review Comment:
Good point, I'd say, let's keep it as is for now, I've opened
https://issues.apache.org/jira/browse/CAMEL-23743 so that we do not forget to
improve this part
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
