[
https://issues.apache.org/jira/browse/CAMEL-23785?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Claus Ibsen updated CAMEL-23785:
--------------------------------
Fix Version/s: 4.21.0
> camel-http: mark x509HostnameVerifier with security="insecure:ssl"
> ------------------------------------------------------------------
>
> Key: CAMEL-23785
> URL: https://issues.apache.org/jira/browse/CAMEL-23785
> Project: Camel
> Issue Type: Improvement
> Components: camel-http
> Reporter: Andrea Cosentino
> Assignee: Andrea Cosentino
> Priority: Minor
> Fix For: 4.21.0
>
>
> h3. Problem
> The {{x509HostnameVerifier}} option on camel-http accepts a
> NoopHostnameVerifier, which disables hostname verification. The adjacent
> {{hostnameVerificationPolicy}} was recently hardened, but
> x509HostnameVerifier itself is not annotated with the {{security =
> "insecure:ssl"}} marker used elsewhere for TLS-weakening options, so the
> security tooling profile cannot flag insecure usage.
> h3. Evidence
> *
> components/camel-http/src/main/java/org/apache/camel/component/http/HttpEndpoint.java:154
> (x509HostnameVerifier @UriParam, label security)
> h3. Suggested fix
> Add security = "insecure:ssl" to the @UriParam on x509HostnameVerifier;
> regenerate metadata/catalog/endpoint-dsl.
> h3. Acceptance criteria
> * x509HostnameVerifier @UriParam carries security = "insecure:ssl"
> * Generated component JSON, catalog and endpoint-dsl are regenerated and
> committed
> * No functional change to the option
> _Created by Claude Code on behalf of Andrea Cosentino._
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
