[
https://issues.apache.org/jira/browse/CAMEL-23743?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Federico Mariani updated CAMEL-23743:
-------------------------------------
Affects Version/s: 4.20.0
> camel-http: expose hostnameVerificationPolicy option to allow opting into
> httpclient 5.6 handshake-time hostname verification
> -----------------------------------------------------------------------------------------------------------------------------
>
> Key: CAMEL-23743
> URL: https://issues.apache.org/jira/browse/CAMEL-23743
> Project: Camel
> Issue Type: Improvement
> Components: camel-http
> Affects Versions: 4.20.0
> Reporter: Federico Mariani
> Priority: Major
>
> Since the httpclient 5.6 upgrade, _HttpComponent.createTlsStrategy_ hardcodes
> _HostnameVerificationPolicy.CLIENT_ to preserve backward compatibility: 5.6
> defaults to _BOTH_, which runs the JDK built-in hostname check during the TLS
> handshake before the configured verifier, breaking the documented semantics
> of x509HostnameVerifier (notably the NoopHostnameVerifier idiom for
> self-signed certificates).
> *Proposed changes*:
> # Add a _hostnameVerificationPolicy_ option (_CLIENT/BUILTIN/BOTH_) on
> HttpComponent and HttpEndpoint, passed to ClientTlsStrategyBuilder.
> # Default to _CLIENT_ (current behavior, no breaking change).
> # Document the trade-off, recommending _BOTH_ where no custom verifier
> semantics are needed, and noting that under BUILTIN/BOTH a Noop verifier
> cannot disable verification.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
