HTTPCLIENT-2302: Add comment to TrustStrategy usage in examples (#492)

apache · Oct 12, 2023 · 6b16ec1 · 6b16ec1
1 parent 9c83250
commit 6b16ec1
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/httpclient5/src/test/java/org/apache/hc/client5/http/examples/AsyncClientCustomSSL.java b/httpclient5/src/test/java/org/apache/hc/client5/http/examples/AsyncClientCustomSSL.java
@@ -59,6 +59,13 @@ public class AsyncClientCustomSSL {
     public static void main(final String[] args) throws Exception {
         // Trust standard CA and those trusted by our custom strategy
         final SSLContext sslContext = SSLContexts.custom()
+                // Specify a custom TrustStrategy
+                // Custom TrustStrategy implementations are intended for verification of certificates
+                // whose CA is not trusted by the system, and where specifying a custom truststore
+                // containing the certificate chain is not an option.
+                // Validation of the server certificate without validation of the entire certificate chain
+                // is preferred to completely disabling trust verification, however this
+                // *still allows man-in-the-middle attacks*.
                 .loadTrustMaterial((chain, authType) -> {
                     final X509Certificate cert = chain[0];
                     return "CN=httpbin.org".equalsIgnoreCase(cert.getSubjectDN().getName());

diff --git a/httpclient5/src/test/java/org/apache/hc/client5/http/examples/ClientCustomSSL.java b/httpclient5/src/test/java/org/apache/hc/client5/http/examples/ClientCustomSSL.java
@@ -55,6 +55,13 @@ public class ClientCustomSSL {
     public final static void main(final String[] args) throws Exception {
         // Trust standard CA and those trusted by our custom strategy
         final SSLContext sslContext = SSLContexts.custom()
+                // Specify a custom TrustStrategy
+                // Custom TrustStrategy implementations are intended for verification of certificates
+                // whose CA is not trusted by the system, and where specifying a custom truststore
+                // containing the certificate chain is not an option.
+                // Validation of the server certificate without validation of the entire certificate chain
+                // is preferred to completely disabling trust verification, however this
+                // *still allows man-in-the-middle attacks*.
                 .loadTrustMaterial((chain, authType) -> {
                     final X509Certificate cert = chain[0];
                     return "CN=httpbin.org".equalsIgnoreCase(cert.getSubjectDN().getName());