Federico Mariani created CAMEL-23970:
----------------------------------------
Summary: camel-openai: annotate sslEndpointAlgorithm as an
insecure-capable option per the security policy framework
Key: CAMEL-23970
URL: https://issues.apache.org/jira/browse/CAMEL-23970
Project: Camel
Issue Type: Task
Components: camel-openai
Affects Versions: 4.21.0
Reporter: Federico Mariani
Per {{design/security.adoc}}, endpoint options that can disable a security
control must carry the {{security}} attribute on {{@UriParam}} so the security
policy framework ({{camel.main.profile=prod}}) can flag or deny them. In
{{OpenAIConfiguration}}, {{sslEndpointAlgorithm}} disables TLS hostname
verification when set to empty or {{none}}
({{OpenAIEndpoint.configureSslFromProperties}} installs a trust-all
{{HostnameVerifier}} in that case), but the option carries no {{security}}
annotation — unlike the {{secret = true}} annotations already present on the
password options in the same class.
Proposal:
* add {{security = "insecure:ssl"}} to the {{sslEndpointAlgorithm}}
{{@UriParam}} (the annotation marks the option as insecure-capable; the docs
already warn about {{none}});
* while there, double-check the {{sslContextParameters}} code path:
{{configureSslFromContextParameters}} always installs a trust manager even when
the user's {{SSLContextParameters}} did not configure one (it falls back to the
JVM default — correct), but when the user's first trust manager is not an
{{X509TrustManager}} the socket factory and the trust manager handed to OkHttp
can diverge; a WARN log there would help diagnosis;
* regenerate metadata and update the component docs table.
_This issue was drafted by Claude Code on behalf of Federico Mariani_
--
This message was sent by Atlassian Jira
(v8.20.10#820010)