[jira] [Comment Edited] (CAMEL-23743) camel-http: expose hostnameVerificationPolicy option to allow opting into httpclient 5.6 handshake-time hostname verification

Fri, 12 Jun 2026 03:24:07 -0700 


    [ 
https://issues.apache.org/jira/browse/CAMEL-23743?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18088492#comment-18088492
 ] 

Raj Kumar Pamu edited comment on CAMEL-23743 at 6/12/26 10:23 AM:
------------------------------------------------------------------

Hi Andrea, thanks for the clarification! I went ahead and implemented the fix 
as proposed — added a hostnameVerificationPolicy option (CLIENT/BUILTIN/BOTH) 
to HttpComponent and HttpEndpoint, defaulting to CLIENT to preserve backward 
compatibility. PR here: [https://github.com/apache/camel/pull/23987_]


was (Author: JIRAUSER313662):
_Hi Andrea, thanks for the clarification! I went ahead and implemented the fix 
as proposed — added a hostnameVerificationPolicy option (CLIENT/BUILTIN/BOTH) 
to HttpComponent and HttpEndpoint, defaulting to CLIENT to preserve backward 
compatibility. PR here: https://github.com/apache/camel/pull/23987_

> camel-http: expose hostnameVerificationPolicy option to allow opting into 
> httpclient 5.6 handshake-time hostname verification
> -----------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CAMEL-23743
>                 URL: https://issues.apache.org/jira/browse/CAMEL-23743
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-http
>            Reporter: Federico Mariani
>            Priority: Major
>
> Since the httpclient 5.6 upgrade, _HttpComponent.createTlsStrategy_ hardcodes 
> _HostnameVerificationPolicy.CLIENT_ to preserve backward compatibility: 5.6 
> defaults to _BOTH_, which runs the JDK built-in hostname check during the TLS 
> handshake before the configured verifier, breaking the documented semantics 
> of x509HostnameVerifier (notably the NoopHostnameVerifier idiom for 
> self-signed certificates).
> *Proposed changes*:
> # Add a _hostnameVerificationPolicy_ option (_CLIENT/BUILTIN/BOTH_) on 
> HttpComponent and HttpEndpoint, passed to ClientTlsStrategyBuilder.
> # Default to _CLIENT_ (current behavior, no breaking change).
> # Document the trade-off, recommending _BOTH_ where no custom verifier 
> semantics are needed, and noting that under BUILTIN/BOTH a Noop verifier 
> cannot disable verification.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to