Marcono1234 commented on code in PR #438: URL: https://github.com/apache/httpcomponents-core/pull/438#discussion_r1343067206
########## httpcore5/src/main/java/org/apache/hc/core5/ssl/TrustStrategy.java: ########## @@ -34,6 +34,19 @@ * configured in the actual SSL context. This interface can be used to override the standard * JSSE certificate verification process. * + * <h2>Security Warning</h2> + * If a trust strategy considers a certificate chain to be trusted, then the default trust manager + * will not be consulted. Trust strategy implementations must therefore properly check the complete + * certificate chain. Checking for example only the subject of a certificate does not protect Review Comment: > Could you please tone it down a little? Which part exactly? > One may want to trust that specific host but not other hosts signed by the same CA. But if you just check the subject then you don't have any guarantee that that CA issued the certificate. Unless you start doing some form of certificate chain checks or checking the fingerprint of the certificate, anyone could have issued that certificate. And you have no guarantee that you are communicating with the server you think you are communicating with. That is my understanding of this; if I am overlooking something here please feel free to correct me. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org For additional commands, e-mail: dev-h...@hc.apache.org
