I asked for a dev ML discussion for this. I will share why I favor changing the default to HostnameVerificationPolicy.BOTH in the next 1.11 release.
* In the production environment, people should use the hostname matching the SAN attribute in the certificate. The hostname could be a DNS name, an IP address, or both. The certificate must be generated with the proper Subject Alternative Name (SAN) matching its intended use. While this is a slight behavior change for the 1.11 release, the practical impact should be very small since production deployments probably use a DNS name anyway. * For the unit test, Alex's PR #15598 provides the customization to allow using the loopback IP address (127.0.0.1) with noop hostname verification. BTW, this is the last blocking PR for version 1.11.0 release. It will be great to reach a consensus soon. https://github.com/apache/iceberg/milestone/59 On Fri, Mar 20, 2026 at 11:43 AM Alexandre Dutra <[email protected]> wrote: > Hi all, > > Last week I opened an issue to report what I believe is a regression > in the HTTPClient when using TLS: > > https://github.com/apache/iceberg/issues/15598 > > I also opened a PR to fix it: > > https://github.com/apache/iceberg/pull/15500 > > The fix is basically to expose the HostnameVerificationPolicy in the > TLSConfigurer, and I think there is consensus on that. > > However I would like to have the community's opinion about the default > value we should use for the HostnameVerificationPolicy. > > We can either go with: > > - CLIENT, which reproduces the current behavior in 1.10 but is less safe; > or > - BOTH, which introduces a behavioral change, but is the safest option. > > What do you think? > > Thanks, > Alex >
