Federico Mariani created CAMEL-23970:
----------------------------------------

             Summary: camel-openai: annotate sslEndpointAlgorithm as an 
insecure-capable option per the security policy framework
                 Key: CAMEL-23970
                 URL: https://issues.apache.org/jira/browse/CAMEL-23970
             Project: Camel
          Issue Type: Task
          Components: camel-openai
    Affects Versions: 4.21.0
            Reporter: Federico Mariani


Per {{design/security.adoc}}, endpoint options that can disable a security 
control must carry the {{security}} attribute on {{@UriParam}} so the security 
policy framework ({{camel.main.profile=prod}}) can flag or deny them. In 
{{OpenAIConfiguration}}, {{sslEndpointAlgorithm}} disables TLS hostname 
verification when set to empty or {{none}} 
({{OpenAIEndpoint.configureSslFromProperties}} installs a trust-all 
{{HostnameVerifier}} in that case), but the option carries no {{security}} 
annotation — unlike the {{secret = true}} annotations already present on the 
password options in the same class.

Proposal:
* add {{security = "insecure:ssl"}} to the {{sslEndpointAlgorithm}} 
{{@UriParam}} (the annotation marks the option as insecure-capable; the docs 
already warn about {{none}});
* while there, double-check the {{sslContextParameters}} code path: 
{{configureSslFromContextParameters}} always installs a trust manager even when 
the user's {{SSLContextParameters}} did not configure one (it falls back to the 
JVM default — correct), but when the user's first trust manager is not an 
{{X509TrustManager}} the socket factory and the trust manager handed to OkHttp 
can diverge; a WARN log there would help diagnosis;
* regenerate metadata and update the component docs table.

_This issue was drafted by Claude Code on behalf of Federico Mariani_



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to