[jira] [Created] (HTTPCLIENT-1752) Allow to configure the OSGI clients with relaxed SSL checks

Wed, 22 Jun 2016 05:32:00 -0700 

Timothee Maret created HTTPCLIENT-1752:
------------------------------------------

             Summary: Allow to configure the OSGI clients with relaxed SSL 
checks
                 Key: HTTPCLIENT-1752
                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1752
             Project: HttpComponents HttpClient
          Issue Type: New Feature
          Components: HttpClient
    Affects Versions: 4.5.2
            Reporter: Timothee Maret


In deployments other than production (e.g. dev, qa, integration testing, etc.) 
it is often useful to deploy self-signed certificates instead of certificates 
signed by a trusted CA for cost and simplicity reasons.

By default, the http client does not validate a self signed certificate because 
it is not signed by a trusted CA root. 

One way to have the http client to validate the self signed certificate is to 
add the self-signed certificate (or the detached CA root that signed it) in the 
java trustore.
This operation is a configuration only change (no need to change code) however 
it typically requires accessing the FS and the scope of trust can't be easily 
modified at runtime.

Another way to have the http client to validate the self signed certificate is 
to use the TrustSelfSignedStrategy [0] strategy when building the http client.
This requires modifying the code.

In order to use the second approach without modifying code, it would be 
interesting to allow configuring a set of URIs for which the relaxed SSL mode 
should be used.

The configuration could be implemented similarly to the implementation of the 
central prox configuration (OSGI) in HTTPCLIENT-1238. In addition to allowing 
sel-signed certificates, the configuration could as well allow to skip FQDN 
check using the NoopHostnameVerifier [1].
Of course, this feature *must not* be deployed in production environment as it 
is totally insecure.

[0] 
https://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/conn/ssl/TrustSelfSignedStrategy.html
[1] 
https://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/conn/ssl/NoopHostnameVerifier.html



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org

Reply via email to