[
https://issues.apache.org/jira/browse/JCR-4536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17151206#comment-17151206
]
Konrad Windszus edited comment on JCR-4536 at 7/4/20, 7:24 AM:
---------------------------------------------------------------
bq. At the end of the day, this needs to be triggered somewhere by config (or
am I wrong here?). Once it is turned off, the user will have an insecure client
and might not know it.
Yes, but this is responsibility of the downstream consumer (e.g.
https://github.com/apache/jackrabbit-filevault/blob/917660d0076b8be0a11b4f226dde798842128646/vault-rcp/src/main/java/org/apache/jackrabbit/vault/rcp/impl/RcpTaskImpl.java#L229).
I cannot think of any parametrisation which would be better from a security
perspective. Please make a concrete suggestion how you think this should happen.
was (Author: kwin):
bq. At the end of the day, this needs to be triggered somewhere by config (or
am I wrong here?). Once it is turned off, the user will have an insecure client
and might not know it.
Yes, but this is responsibility of the downstream consumer. I cannot think of
any parametrisation which would be better from a security perspective. Please
make a concrete suggestion how you think this should happen.
> Feature/enable insecure https host
> ----------------------------------
>
> Key: JCR-4536
> URL: https://issues.apache.org/jira/browse/JCR-4536
> Project: Jackrabbit Content Repository
> Issue Type: Improvement
> Components: jackrabbit-spi2dav
> Reporter: Max Barrass
> Assignee: Konrad Windszus
> Priority: Major
>
> Adding support for insecure parameter to allow access to https with invalid
> certs.
> Enabling optional support for expired ssl certs when using https on
> development server with self generated certificates.
> Pull request already created and ready for review
> [https://github.com/apache/jackrabbit/pull/88]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
