You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Timothee Maret (JIRA)" <ji...@apache.org> on 2016/06/23 11:38:16 UTC
[jira] [Commented] (HTTPCLIENT-1752) Allow to configure the OSGI
clients with relaxed SSL checks
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1752?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15346296#comment-15346296 ]
Timothee Maret commented on HTTPCLIENT-1752:
--------------------------------------------
Thanks [~olegk], I was not aware of the Custom SSL connection factory.
It seems to allow binding a specific SSL connection per endpoint which is the required basis for implementing the relaxed SSL handling use case, configurable per endpoint. An implementation could thus be made per project using the HttpClient library.
Providing the OSGI configuration for this would allow to hide the complexity and unify the setup across instances.
The patch for this would likely cover the {{httpclient-osgi}} bundle which I believe was contributed by [~simone.tripodi].
> Allow to configure the OSGI clients with relaxed SSL checks
> -----------------------------------------------------------
>
> Key: HTTPCLIENT-1752
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1752
> Project: HttpComponents HttpClient
> Issue Type: New Feature
> Components: HttpClient
> Affects Versions: 4.5.2
> Reporter: Timothee Maret
> Fix For: Future
>
>
> In deployments other than production (e.g. dev, qa, integration testing, etc.) it is often useful to deploy self-signed certificates instead of certificates signed by a trusted CA for cost and simplicity reasons.
> By default, the http client does not validate a self signed certificate because it is not signed by a trusted CA root.
> One way to have the http client to validate the self signed certificate is to add the self-signed certificate (or the detached CA root that signed it) in the java trustore.
> This operation is a configuration only change (no need to change code) however it typically requires accessing the FS and the scope of trust can't be easily modified at runtime.
> Another way to have the http client to validate the self signed certificate is to use the TrustSelfSignedStrategy [0] strategy when building the http client.
> This requires modifying the code.
> In order to use the second approach without modifying code, it would be interesting to allow configuring a set of URIs for which the relaxed SSL mode should be used.
> The configuration could be implemented similarly to the implementation of the central prox configuration (OSGI) in HTTPCLIENT-1238. In addition to allowing sel-signed certificates, the configuration could as well allow to skip FQDN check using the NoopHostnameVerifier [1].
> Of course, this feature *must not* be deployed in production environment as it is totally insecure.
> [0] https://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/conn/ssl/TrustSelfSignedStrategy.html
> [1] https://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/conn/ssl/NoopHostnameVerifier.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org