ok2c commented on code in PR #438: URL: https://github.com/apache/httpcomponents-core/pull/438#discussion_r1343130372
########## httpcore5/src/main/java/org/apache/hc/core5/ssl/TrustStrategy.java: ########## @@ -34,6 +34,19 @@ * configured in the actual SSL context. This interface can be used to override the standard * JSSE certificate verification process. * + * <h2>Security Warning</h2> + * If a trust strategy considers a certificate chain to be trusted, then the default trust manager + * will not be consulted. Trust strategy implementations must therefore properly check the complete + * certificate chain. Checking for example only the subject of a certificate does not protect Review Comment: > Which part exactly? "Trust strategy implementations must therefore properly check the complete certificate chain". No, It must not. Please tone it done a bit. One may not trust the CA of the target server or even care what CA has been chosen to sign the cert but still may want to perform some sanity checks such as the target host name matching the CN or SAN of the host certificate. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org For additional commands, e-mail: dev-h...@hc.apache.org
