Re: [PR] Add security warning to TrustStrategy documentation [httpcomponents-core]

Mon, 02 Oct 2023 04:04:04 -0700 


ok2c commented on code in PR #438:
URL: 
https://github.com/apache/httpcomponents-core/pull/438#discussion_r1342546547


##########
httpcore5/src/main/java/org/apache/hc/core5/ssl/TrustStrategy.java:
##########
@@ -34,6 +34,19 @@
  * configured in the actual SSL context. This interface can be used to 
override the standard
  * JSSE certificate verification process.
  *
+ * <h2>Security Warning</h2>
+ * If a trust strategy considers a certificate chain to be trusted, then the 
default trust manager
+ * will not be consulted. Trust strategy implementations must therefore 
properly check the complete
+ * certificate chain. Checking for example only the subject of a certificate 
does not protect

Review Comment:
   @Marcono1234 Could you please tone it down a little? There are plenty of 
situations in the real world settings where one _must_ integrate with an 
external server, whose CA is not trusted. One may want is to trust that 
specific host but not other hosts signed by the same CA.  



##########
httpcore5/src/main/java/org/apache/hc/core5/ssl/TrustStrategy.java:
##########
@@ -34,6 +34,19 @@
  * configured in the actual SSL context. This interface can be used to 
override the standard
  * JSSE certificate verification process.
  *
+ * <h2>Security Warning</h2>
+ * If a trust strategy considers a certificate chain to be trusted, then the 
default trust manager
+ * will not be consulted. Trust strategy implementations must therefore 
properly check the complete
+ * certificate chain. Checking for example only the subject of a certificate 
does not protect
+ * against man-in-the-middle attacks. For self-signed certificates prefer 
specifying a keystore
+ * containing the certificate chain when calling the {@link SSLContextBuilder} 
{@code loadTrustMaterial}
+ * methods instead of implementing a custom trust strategy.
+ *
+ * <p>A trust strategy cannot be used for certificate pinning. When {@code 
isTrusted} returns

Review Comment:
   A trust strategy **_alone_** cannot be used for certificate pinning.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org

Reply via email to