(pekko-management) branch 1.2.x updated: HTTP Client: use Java Runtime default trust store if ca-path is not set (#639) (#653)

Sat, 28 Feb 2026 12:04:29 -0800 

This is an automated email from the ASF dual-hosted git repository.

fanningpj pushed a commit to branch 1.2.x
in repository https://gitbox.apache.org/repos/asf/pekko-management.git


The following commit(s) were added to refs/heads/1.2.x by this push:
     new af6160f8 HTTP Client: use Java Runtime default trust store if ca-path 
is not set (#639) (#653)
af6160f8 is described below

commit af6160f83af96304d99acbf53309f14f2bcd0ad4
Author: PJ Fanning <[email protected]>
AuthorDate: Sat Feb 28 21:04:16 2026 +0100

    HTTP Client: use Java Runtime default trust store if ca-path is not set 
(#639) (#653)
    
    * disable custom sslcontext is capath is empty
    
    * Update HttpContactPointBootstrap.scala
    
    * Update reference.conf
---
 .../src/main/resources/reference.conf                     |  2 ++
 .../bootstrap/internal/HttpContactPointBootstrap.scala    | 15 ++++++++++-----
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/management-cluster-bootstrap/src/main/resources/reference.conf 
b/management-cluster-bootstrap/src/main/resources/reference.conf
index 0f4d7844..c0101003 100644
--- a/management-cluster-bootstrap/src/main/resources/reference.conf
+++ b/management-cluster-bootstrap/src/main/resources/reference.conf
@@ -137,6 +137,8 @@ pekko.management {
 
       http-client {
         # set this to your HTTPS certificate path if you want to setup a HTTPS 
trust store
+        # if this is left empty, the default Java Runtime trust store will be 
used
+        # pekko-management-cluster-bootstrap 1.2.0 did not default to the Java 
Runtime trust store
         ca-path = ""
         # the TLS version to use when connecting to contact points
         tls-version = "TLSv1.2"
diff --git 
a/management-cluster-bootstrap/src/main/scala/org/apache/pekko/management/cluster/bootstrap/internal/HttpContactPointBootstrap.scala
 
b/management-cluster-bootstrap/src/main/scala/org/apache/pekko/management/cluster/bootstrap/internal/HttpContactPointBootstrap.scala
index f9a2c62a..4f48f435 100644
--- 
a/management-cluster-bootstrap/src/main/scala/org/apache/pekko/management/cluster/bootstrap/internal/HttpContactPointBootstrap.scala
+++ 
b/management-cluster-bootstrap/src/main/scala/org/apache/pekko/management/cluster/bootstrap/internal/HttpContactPointBootstrap.scala
@@ -62,6 +62,7 @@ private[bootstrap] object HttpContactPointBootstrap {
 
   private case object ProbeTick extends DeadLetterSuppression
   private val ProbingTimerKey = "probing-key"
+  private val DefaultTlsVersion = "TLSv1.2" // keep in sync with default in 
reference.conf
 
   def generateSSLContext(settings: ClusterBootstrapSettings): SSLContext = {
     val factory = 
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm)
@@ -71,7 +72,8 @@ private[bootstrap] object HttpContactPointBootstrap {
     val km: Array[KeyManager] = factory.getKeyManagers
     val caPath = settings.contactPoint.httpClient.caPath.trim
     val tm: Array[TrustManager] = if (caPath.isEmpty) {
-      Array.empty
+      // null means use the default JVM trust store, which is what we want if 
no CA path is configured
+      None.orNull
     } else {
       val certificates = PemManagersProvider.loadCertificates(caPath)
       PemManagersProvider.buildTrustManagers(certificates)
@@ -101,8 +103,7 @@ private[bootstrap] class HttpContactPointBootstrap(
     with Timers
     with HttpBootstrapJsonProtocol {
 
-  import HttpContactPointBootstrap.ProbeTick
-  import HttpContactPointBootstrap.ProbingTimerKey
+  import HttpContactPointBootstrap._
 
   private val cluster = Cluster(context.system)
 
@@ -115,8 +116,12 @@ private[bootstrap] class HttpContactPointBootstrap(
 
   private implicit val sys: ActorSystem = context.system
 
+  private val useCustomSslContext: Boolean =
+    settings.contactPoint.httpClient.caPath.trim.nonEmpty ||
+    settings.contactPoint.httpClient.tlsVersion != DefaultTlsVersion
+
   private lazy val clientSslContext: HttpsConnectionContext =
-    
ConnectionContext.httpsClient(HttpContactPointBootstrap.generateSSLContext(settings))
+    ConnectionContext.httpsClient(generateSSLContext(settings))
 
   private val http = Http()
 
@@ -142,7 +147,7 @@ private[bootstrap] class HttpContactPointBootstrap(
   override def receive = {
     case ProbeTick =>
       log.debug("Probing [{}] for seed nodes...", probeRequest.uri)
-      val reply = if (probeRequest.uri.scheme == "https") {
+      val reply = if (probeRequest.uri.scheme == "https" && 
useCustomSslContext) {
         http.singleRequest(probeRequest, settings = 
connectionPoolWithoutRetries,
           connectionContext = clientSslContext)
       } else {


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to