hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCLIENT-1752) Allow to configure the OSGI clients with relaxed SSL checks
Date Sun, 24 Jul 2016 21:19:20 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1752?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15391177#comment-15391177
] 

ASF GitHub Bot commented on HTTPCLIENT-1752:
--------------------------------------------

Github user tmaret commented on the issue:

    https://github.com/apache/httpclient/pull/56
  
    bq. Allows the new HTTP Client instance to blindly trust all SSL self-signed certificates.
Pay attention on no enabling this feature in production environment as it is totally insecure!
    
    In order to avoid production environments to use this insecure configuration, how about
splitting the code in two bundles ? 
    The base bundle `httpclient5-osgi` would feature an extension mechanism that allow to
plug a new bundle containing the insecure code and configuration.


> Allow to configure the OSGI clients with relaxed SSL checks
> -----------------------------------------------------------
>
>                 Key: HTTPCLIENT-1752
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1752
>             Project: HttpComponents HttpClient
>          Issue Type: New Feature
>          Components: HttpClient
>    Affects Versions: 4.5.2
>            Reporter: Timothee Maret
>            Assignee: Simone Tripodi
>             Fix For: Future
>
>         Attachments: HTTPCLIENT-1752_initial.patch
>
>
> In deployments other than production (e.g. dev, qa, integration testing, etc.) it is
often useful to deploy self-signed certificates instead of certificates signed by a trusted
CA for cost and simplicity reasons.
> By default, the http client does not validate a self signed certificate because it is
not signed by a trusted CA root. 
> One way to have the http client to validate the self signed certificate is to add the
self-signed certificate (or the detached CA root that signed it) in the java trustore.
> This operation is a configuration only change (no need to change code) however it typically
requires accessing the FS and the scope of trust can't be easily modified at runtime.
> Another way to have the http client to validate the self signed certificate is to use
the TrustSelfSignedStrategy [0] strategy when building the http client.
> This requires modifying the code.
> In order to use the second approach without modifying code, it would be interesting to
allow configuring a set of URIs for which the relaxed SSL mode should be used.
> The configuration could be implemented similarly to the implementation of the central
prox configuration (OSGI) in HTTPCLIENT-1238. In addition to allowing sel-signed certificates,
the configuration could as well allow to skip FQDN check using the NoopHostnameVerifier [1].
> Of course, this feature *must not* be deployed in production environment as it is totally
insecure.
> [0] https://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/conn/ssl/TrustSelfSignedStrategy.html
> [1] https://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/conn/ssl/NoopHostnameVerifier.html



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message