ok2c commented on code in PR #438: URL: https://github.com/apache/httpcomponents-core/pull/438#discussion_r1342546547
########## httpcore5/src/main/java/org/apache/hc/core5/ssl/TrustStrategy.java: ########## @@ -34,6 +34,19 @@ * configured in the actual SSL context. This interface can be used to override the standard * JSSE certificate verification process. * + * <h2>Security Warning</h2> + * If a trust strategy considers a certificate chain to be trusted, then the default trust manager + * will not be consulted. Trust strategy implementations must therefore properly check the complete + * certificate chain. Checking for example only the subject of a certificate does not protect Review Comment: @Marcono1234 Could you please tone it down a little? There are plenty of situations in the real world settings where one _must_ integrate with an external server, whose CA is not trusted. One may want to trust that specific host but not other hosts signed by the same CA. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org For additional commands, e-mail: dev-h...@hc.apache.org
