[
https://issues.apache.org/jira/browse/HTTPCLIENT-1752?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15391860#comment-15391860
]
ASF GitHub Bot commented on HTTPCLIENT-1752:
--------------------------------------------
Github user simonetripodi commented on a diff in the pull request:
https://github.com/apache/httpclient/pull/56#discussion_r72060532
--- Diff:
httpclient5-osgi/src/main/java/org/apache/hc/client5/http/osgi/impl/RelaxedLayeredConnectionSocketFactory.java
---
@@ -0,0 +1,101 @@
+/*
+ * ====================================================================
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ * ====================================================================
+ *
+ * This software consists of voluntary contributions made by many
+ * individuals on behalf of the Apache Software Foundation. For more
+ * information on the Apache Software Foundation, please see
+ * <http://www.apache.org/>.
+ *
+ */
+package org.apache.hc.client5.http.osgi.impl;
+
+import static
org.apache.hc.client5.http.osgi.impl.HostMatcher.HostMatcherFactory.createMatcher;
+import static
org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory.getSocketFactory;
+
+import java.io.IOException;
+import java.net.InetSocketAddress;
+import java.net.Socket;
+
+import org.apache.hc.client5.http.osgi.services.TrustedHostsConfiguration;
+import org.apache.hc.client5.http.socket.LayeredConnectionSocketFactory;
+import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
+import org.apache.hc.core5.http.HttpHost;
+import org.apache.hc.core5.http.protocol.HttpContext;
+import org.osgi.framework.BundleContext;
+import org.osgi.framework.ServiceRegistration;
+
+final class RelaxedLayeredConnectionSocketFactory implements
LayeredConnectionSocketFactory {
+
+ private final SSLConnectionSocketFactory defaultSocketFactory =
getSocketFactory();
--- End diff --
@ok2c I just implemented the required behaviour in my last commit, tests
are up and running - any feedback would be more than appreciated, thanks in
advance!
> Allow to configure the OSGI clients with relaxed SSL checks
> -----------------------------------------------------------
>
> Key: HTTPCLIENT-1752
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1752
> Project: HttpComponents HttpClient
> Issue Type: New Feature
> Components: HttpClient
> Affects Versions: 4.5.2
> Reporter: Timothee Maret
> Assignee: Simone Tripodi
> Fix For: Future
>
> Attachments: HTTPCLIENT-1752_initial.patch
>
>
> In deployments other than production (e.g. dev, qa, integration testing,
> etc.) it is often useful to deploy self-signed certificates instead of
> certificates signed by a trusted CA for cost and simplicity reasons.
> By default, the http client does not validate a self signed certificate
> because it is not signed by a trusted CA root.
> One way to have the http client to validate the self signed certificate is to
> add the self-signed certificate (or the detached CA root that signed it) in
> the java trustore.
> This operation is a configuration only change (no need to change code)
> however it typically requires accessing the FS and the scope of trust can't
> be easily modified at runtime.
> Another way to have the http client to validate the self signed certificate
> is to use the TrustSelfSignedStrategy [0] strategy when building the http
> client.
> This requires modifying the code.
> In order to use the second approach without modifying code, it would be
> interesting to allow configuring a set of URIs for which the relaxed SSL mode
> should be used.
> The configuration could be implemented similarly to the implementation of the
> central prox configuration (OSGI) in HTTPCLIENT-1238. In addition to allowing
> sel-signed certificates, the configuration could as well allow to skip FQDN
> check using the NoopHostnameVerifier [1].
> Of course, this feature *must not* be deployed in production environment as
> it is totally insecure.
> [0]
> https://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/conn/ssl/TrustSelfSignedStrategy.html
> [1]
> https://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/conn/ssl/NoopHostnameVerifier.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
