(pekko-management) branch main updated: HTTP Client: use Java Runtime default trust store if ca-path is not set (#639)

Thu, 26 Feb 2026 07:10:12 -0800 

This is an automated email from the ASF dual-hosted git repository.

fanningpj pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/pekko-management.git


The following commit(s) were added to refs/heads/main by this push:
     new 11e6969b HTTP Client: use Java Runtime default trust store if ca-path 
is not set (#639)
11e6969b is described below

commit 11e6969b3c5f462184cc3ea290e3ae37660d7ed7
Author: PJ Fanning <[email protected]>
AuthorDate: Thu Feb 26 16:09:55 2026 +0100

    HTTP Client: use Java Runtime default trust store if ca-path is not set 
(#639)
    
    * disable custom sslcontext is capath is empty
    
    * Update HttpContactPointBootstrap.scala
    
    * Update reference.conf
---
 .../src/main/resources/reference.conf                     |  2 ++
 .../bootstrap/internal/HttpContactPointBootstrap.scala    | 15 ++++++++++-----
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/management-cluster-bootstrap/src/main/resources/reference.conf 
b/management-cluster-bootstrap/src/main/resources/reference.conf
index 0f4d7844..c0101003 100644
--- a/management-cluster-bootstrap/src/main/resources/reference.conf
+++ b/management-cluster-bootstrap/src/main/resources/reference.conf
@@ -137,6 +137,8 @@ pekko.management {
 
       http-client {
         # set this to your HTTPS certificate path if you want to setup a HTTPS 
trust store
+        # if this is left empty, the default Java Runtime trust store will be 
used
+        # pekko-management-cluster-bootstrap 1.2.0 did not default to the Java 
Runtime trust store
         ca-path = ""
         # the TLS version to use when connecting to contact points
         tls-version = "TLSv1.2"
diff --git 
a/management-cluster-bootstrap/src/main/scala/org/apache/pekko/management/cluster/bootstrap/internal/HttpContactPointBootstrap.scala
 
b/management-cluster-bootstrap/src/main/scala/org/apache/pekko/management/cluster/bootstrap/internal/HttpContactPointBootstrap.scala
index 4a54ca68..85d483ab 100644
--- 
a/management-cluster-bootstrap/src/main/scala/org/apache/pekko/management/cluster/bootstrap/internal/HttpContactPointBootstrap.scala
+++ 
b/management-cluster-bootstrap/src/main/scala/org/apache/pekko/management/cluster/bootstrap/internal/HttpContactPointBootstrap.scala
@@ -65,6 +65,7 @@ private[bootstrap] object HttpContactPointBootstrap {
 
   private case object ProbeTick extends DeadLetterSuppression
   private val ProbingTimerKey = "probing-key"
+  private val DefaultTlsVersion = "TLSv1.2" // keep in sync with default in 
reference.conf
 
   def generateSSLContext(settings: ClusterBootstrapSettings): SSLContext = {
     val factory = 
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm)
@@ -74,7 +75,8 @@ private[bootstrap] object HttpContactPointBootstrap {
     val km: Array[KeyManager] = factory.getKeyManagers
     val caPath = settings.contactPoint.httpClient.caPath.trim
     val tm: Array[TrustManager] = if (caPath.isEmpty) {
-      Array.empty
+      // null means use the default JVM trust store, which is what we want if 
no CA path is configured
+      None.orNull
     } else {
       val certificates = PemManagersProvider.loadCertificates(caPath)
       PemManagersProvider.buildTrustManagers(certificates)
@@ -104,8 +106,7 @@ private[bootstrap] class HttpContactPointBootstrap(
     with Timers
     with HttpBootstrapJsonProtocol {
 
-  import HttpContactPointBootstrap.ProbeTick
-  import HttpContactPointBootstrap.ProbingTimerKey
+  import HttpContactPointBootstrap._
 
   private val cluster = Cluster(context.system)
 
@@ -118,8 +119,12 @@ private[bootstrap] class HttpContactPointBootstrap(
 
   private implicit val sys: ActorSystem = context.system
 
+  private val useCustomSslContext: Boolean =
+    settings.contactPoint.httpClient.caPath.trim.nonEmpty ||
+    settings.contactPoint.httpClient.tlsVersion != DefaultTlsVersion
+
   private lazy val clientSslContext: HttpsConnectionContext =
-    
ConnectionContext.httpsClient(HttpContactPointBootstrap.generateSSLContext(settings))
+    ConnectionContext.httpsClient(generateSSLContext(settings))
 
   private val http = Http()
 
@@ -145,7 +150,7 @@ private[bootstrap] class HttpContactPointBootstrap(
   override def receive = {
     case ProbeTick =>
       log.debug("Probing [{}] for seed nodes...", probeRequest.uri)
-      val reply = if (probeRequest.uri.scheme == "https") {
+      val reply = if (probeRequest.uri.scheme == "https" && 
useCustomSslContext) {
         http.singleRequest(probeRequest, settings = 
connectionPoolWithoutRetries,
           connectionContext = clientSslContext)
       } else {


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to