Skip to content

Commit b476b05

Browse files
runeflobakkruneflobakk
committed
Ensure only NOOP hostname verifier is used for TLS
Because of Signering API using non-standard certificates for establishing TLS connection, i.e. enterprise certificates (virksomhetssertifikat). Apache Http Client changed behavior in v5.6, where it is not enough to configure your own HostnameVerifier. To avoid the verification which is built-in the JDK SSL stack, one must explicitly configure this policy to HostnameVerificationPolicy.CLIENT. https://lists.apache.org/thread/xycs1swxpdc4g3255ms0p1kshbl3ky29 (see "Compatibility notes") apache/httpcomponents-client@d89fdfe
1 parent 81a836d commit b476b05

2 files changed

Lines changed: 7 additions & 5 deletions

File tree

lib/pom.xml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@
2828
<dependency>
2929
<groupId>org.junit</groupId>
3030
<artifactId>junit-bom</artifactId>
31-
<version>5.13.0-M2</version>
31+
<version>5.14.2</version>
3232
<type>pom</type>
3333
<scope>import</scope>
3434
</dependency>
@@ -74,18 +74,18 @@
7474
<dependency>
7575
<groupId>org.apache.httpcomponents.client5</groupId>
7676
<artifactId>httpclient5</artifactId>
77-
<version>5.4.4</version>
77+
<version>5.6</version>
7878
</dependency>
7979
<dependency>
8080
<groupId>org.apache.httpcomponents.core5</groupId>
8181
<artifactId>httpcore5</artifactId>
82-
<version>5.3.4</version>
82+
<version>5.4</version>
8383
</dependency>
8484

8585
<dependency>
8686
<groupId>commons-io</groupId>
8787
<artifactId>commons-io</artifactId>
88-
<version>2.19.0</version>
88+
<version>2.21.0</version>
8989
<scope>test</scope>
9090
</dependency>
9191

lib/src/main/java/no/digipost/signature/client/core/internal/configuration/ApacheHttpClientSslConfigurer.java

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@
99
import no.digipost.signature.client.security.OrganizationNumberValidation;
1010
import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManagerBuilder;
1111
import org.apache.hc.client5.http.ssl.DefaultClientTlsStrategy;
12+
import org.apache.hc.client5.http.ssl.HostnameVerificationPolicy;
1213
import org.apache.hc.client5.http.ssl.NoopHostnameVerifier;
1314
import org.apache.hc.core5.ssl.SSLContexts;
1415

@@ -40,7 +41,8 @@ public ApacheHttpClientSslConfigurer certificatChainValidation(CertificateChainV
4041

4142
@Override
4243
public void applyTo(PoolingHttpClientConnectionManagerBuilder connectionManager) {
43-
connectionManager.setTlsSocketStrategy(new DefaultClientTlsStrategy(sslContext(), NoopHostnameVerifier.INSTANCE));
44+
connectionManager.setTlsSocketStrategy(
45+
new DefaultClientTlsStrategy(sslContext(), HostnameVerificationPolicy.CLIENT, NoopHostnameVerifier.INSTANCE));
4446
}
4547

4648

0 commit comments

Comments
 (0)