Federico Mariani created CAMEL-23743:
----------------------------------------
Summary: camel-http: expose hostnameVerificationPolicy option to
allow opting into httpclient 5.6 handshake-time hostname verification
Key: CAMEL-23743
URL: https://issues.apache.org/jira/browse/CAMEL-23743
Project: Camel
Issue Type: Improvement
Components: camel-http
Reporter: Federico Mariani
Since the httpclient 5.6 upgrade, _HttpComponent.createTlsStrategy_ hardcodes
_HostnameVerificationPolicy.CLIENT_ to preserve backward compatibility: 5.6
defaults to _BOTH_, which runs the JDK built-in hostname check during the TLS
handshake before the configured verifier, breaking the documented semantics of
x509HostnameVerifier (notably the NoopHostnameVerifier idiom for self-signed
certificates).
*Proposed changes*:
# Add a _hostnameVerificationPolicy_ option (_CLIENT/BUILTIN/BOTH_) on
HttpComponent and HttpEndpoint, passed to ClientTlsStrategyBuilder.
# Default to _CLIENT_ (current behavior, no breaking change).
# Document the trade-off, recommending _BOTH_ where no custom verifier
semantics are needed, and noting that under BUILTIN/BOTH a Noop verifier cannot
disable verification.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
