[
https://issues.apache.org/jira/browse/HTTPCLIENT-2397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18020658#comment-18020658
]
Oleg Kalnichevski commented on HTTPCLIENT-2397:
-----------------------------------------------
> As a library user I don't care about how old an API is, but I do care about
> changing API behavior, especially when the subject of cybersecurity is
> touched.
[~winfriedgerlach] Oh, I can easily do likewise. I do not care what you think
gets touched or what is considered acceptable by some security experts in some
industries. The HC security model is stated here
[https://hc.apache.org/security.html]. We _do not_ provide any security
guarantees beyond the requirements of the HTTP protocol as formulated by the
RFC documents HC conforms to. Whatever extra security restrictions a specific
application may need to impose are sole responsibility of _the user_ of the HC
libraries.
Oleg
> Feature Request: TLS-only connections
> -------------------------------------
>
> Key: HTTPCLIENT-2397
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2397
> Project: HttpComponents HttpClient
> Issue Type: New Feature
> Reporter: Winfried Gerlach
> Priority: Major
>
> Cybersecurity requirements become stricter every day - in many industries
> (automotive, aerospace, medical,...) plain, unencrypted HTTP connections are
> unacceptable. Yet HttpClient currently does not have a configuration option
> that reliably prevents users of the library from (accidentally) creating
> plain HTTP connections.
> While not being a clean and fully reliable solution, all HttpClient versions
> up to 5.3.1 could at least prevent executing requests with "http://"; scheme
> by only registering a HTTPS ConnectionSocketFactory. When trying to access an
> HTTP resource, this would then lead to an {{UnsupportedSchemeException}}
> ("http protocol is not supported"):
> [httpcomponents-client/httpclient5/src/main/java/org/apache/hc/client5/http/impl/io/DefaultHttpClientConnectionOperator.java
> at rel/v5.3.1 ยท
> apache/httpcomponents-client|https://github.com/apache/httpcomponents-client/blob/rel/v5.3.1/httpclient5/src/main/java/org/apache/hc/client5/http/impl/io/DefaultHttpClientConnectionOperator.java#L133]
> In HttpClient 5.4+, this check was dropped to support RFC 2817 (Upgrading to
> TLS Within HTTP/1.1). Rejecting http scheme could still be achieved, e.g. by
> using a custom {{{}SchemePortResolver{}}}, but this is unnecessarily
> complicated. And strictly speaking, such a solution is not enough anyway,
> because a server could serve plain HTTP connections that are accessible via
> "https" scheme.
> I suggest to add a "TLS only" setting (in {{{}HttpClientBuilder{}}}?) that
> reliably enforces TLS on every HTTP connection created by HttpClient.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
