Re: [PR] HTTPCLIENT-2302: Add comment to TrustStrategy usage in examples [httpcomponents-client]

Sat, 07 Oct 2023 13:10:55 -0700 


Marcono1234 commented on code in PR #492:
URL: 
https://github.com/apache/httpcomponents-client/pull/492#discussion_r1349569204


##########
httpclient5/src/test/java/org/apache/hc/client5/http/examples/AsyncClientCustomSSL.java:
##########
@@ -59,6 +59,11 @@ public class AsyncClientCustomSSL {
     public static void main(final String[] args) throws Exception {
         // Trust standard CA and those trusted by our custom strategy
         final SSLContext sslContext = SSLContexts.custom()
+                // Specify a custom TrustStrategy

Review Comment:
   I think it would still be good to let the comment start with "Specify a 
custom TrustStrategy" as introduction (followed by your suggestion) to explain 
that this defines a TrustStrategy. Otherwise, due to usage of the lambda 
expression, this might not be immediately obvious.
   
   ----
   
   > for verification of certificates whose CA is either non-trusted or is not 
present in the trust stores used by the system
   
   Could this be reworded to something like this to point out using a custom 
truststore as alternative?
   
   > for verification of certificates whose CA is not trusted by the system, 
and where specifying a custom truststore containing the certificate chain is 
not an option.
   
   ----
   
   So would the following comment content be ok for you (though it is a bit 
verbose)?
   
   > Specify a custom TrustStrategy
   > Custom TrustStrategy implementations are intended for verification of 
certificates  whose CA is not trusted by the system, and where specifying a 
custom truststore containing the certificate chain is not an option.
   > Validation of the server certificate without validation of the entire 
certificate chain is preferred to completely disabling trust verification, 
however this \*still allows man-in-the-middle attacks\*.
   
   ----
   
   Also, should this use line comments (`//`) or would you prefer to have this 
in a single block comment (`/* ... */`)?
   
   To me the wording you proposed sounds fine, but I am not a native English 
speaker.
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to