Hi All: In a project where we are using camel-netty component, our Blackduck scans reported a medium (4.7) security vulnerability against netty-4.1.53.Final version. The essence of the vulnerability seems to be that Netty client does not verify the hostname of the server against the certificate. This is documented in the following issues under the Netty project.
https://github.com/netty/netty/issues/9930 https://github.com/netty/netty/issues/8537 Apparently Netty devs are trying to enable hostname verification by default in Netty 5, but while using Netty 4 this has to be enabled manually by setting SSLParameters.setEndpointIdentificationAlgorithm("HTTPS") and by providing hostname and port while creating the SSLEngine. I looked around the Camel JSSE Util page (https://camel.apache.org/manual/latest/camel-configuration-utilities.html) and the source for SSLContextParameters and related classes. I could not find any mechanism to set the endpoint identification algorithm in SSLContextParameters in Camel so that it gets passed to the underlying Netty library as expected. Search through Camel mailing list also did not return any hits on this topic. Is there a way to enable hostname verification for Netty component in Camel? Or is this a vulnerability in camel-netty component that still needs to be addressed in this component? Attached is the Blackduck report regarding this vulnerability. Thanks for the help. Regards Ravi Sunchu
