Skip to content

CAMEL-23970: Mark sslEndpointAlgorithm as insecure SSL option#24668

Open
gbhavya07 wants to merge 1 commit into
apache:mainfrom
gbhavya07:CAMEL-23970-openai-security-annotation
Open

CAMEL-23970: Mark sslEndpointAlgorithm as insecure SSL option#24668
gbhavya07 wants to merge 1 commit into
apache:mainfrom
gbhavya07:CAMEL-23970-openai-security-annotation

Conversation

@gbhavya07

Copy link
Copy Markdown
Contributor

Description

This PR addresses CAMEL-23970 by marking the sslEndpointAlgorithm endpoint option as an insecure-capable SSL configuration.

The sslEndpointAlgorithm option allows disabling TLS hostname verification by setting it to an empty value or none. However, it was not annotated with security = "insecure:ssl", preventing Camel's security policy framework from identifying it as an option that weakens SSL verification.

This change adds the missing security = "insecure:ssl" attribute to the @UriParam annotation in OpenAIConfiguration and regenerates the component metadata so the security metadata is reflected in the generated openai.json.

Target

  • I checked that the commit is targeting the correct branch (Camel 4 uses the main branch)

Tracking

  • I checked there is a JIRA issue filed for the change: CAMEL-23970

Apache Camel coding standards and style

  • I checked that each commit in the pull request has a meaningful subject line and body.

  • I have run mvn clean install -DskipTests locally from root folder and I have committed all auto-generated changes.
    I ran ./mvnw clean install -DskipTests. The build fails in the unrelated camel-kserve module due to a protobuf-maven-plugin/protoc generation error. The camel-openai module builds successfully, and its tests pass.

AI-assisted contributions

  • If this PR includes AI-generated code, commits have proper co-authorship attribution (e.g., Co-authored-by trailers) and the PR description identifies the AI tool used.

@gnodet gnodet left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for working on this, @gbhavya07. The annotation change itself is correct — sslEndpointAlgorithm is indeed an insecure-capable SSL option that should be flagged by the security policy framework. However, the PR is incomplete because the full build did not finish, so required generated files are missing.

Findings

1. Missing SecurityUtils.java update (blocking)

The auto-generated SECURITY_OPTIONS map in core/camel-util/src/main/java/org/apache/camel/util/SecurityUtils.java must include an entry for sslendpointalgorithm. This map is regenerated by the update-sensitive-helper mojo during the camel-catalog build phase. Since your build failed at camel-kserve (which is built before catalog), this file was never regenerated.

For reference, see how PR #24661 (camel-pinecone) includes the corresponding SecurityUtils.java change:

map.put("tls", new SecurityOption(INSECURE_SSL, VALUE_FALSE));

Without this entry, the security policy framework cannot enforce policies on sslEndpointAlgorithm at runtime, which defeats the purpose of the annotation.

2. Missing catalog JSON update (blocking)

The catalog copy at catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/components/openai.json also needs to be regenerated to include the "security": "insecure:ssl" attribute. This is generated during the same catalog build phase.

3. Consider adding explicit insecureValue (suggestion)

The sslEndpointAlgorithm disables hostname verification for both empty string and "none" (see OpenAIEndpoint.java line 539). Without an explicit insecureValue on the annotation, the auto-generated SecurityUtils entry will default to "" (empty string), which only catches the empty-string case. Setting sslEndpointAlgorithm=none would not be detected as insecure.

This is a pre-existing limitation also present in strictHostKeyChecking, so it may be acceptable for now, but worth noting.

How to fix

To regenerate all required files, you need a successful full build. You can work around the camel-kserve failure by building with:

mvn clean install -DskipTests -pl :camel-openai -am && mvn clean install -DskipTests -pl :camel-catalog -am

Or exclude the failing module:

mvn clean install -DskipTests -pl '!:camel-kserve'

Then commit the regenerated SecurityUtils.java and openai.json (catalog copy).

Scanner coverage

No static analysis tools were run in this review (PMD, Checkstyle, SpotBugs, semgrep, Error Prone are not available in this environment). Compilation-dependent checks require CI.


Claude Code review on behalf of @gnodet

This review was generated by an AI agent and may contain inaccuracies. Please verify all suggestions before applying.

@gbhavya07 gbhavya07 force-pushed the CAMEL-23970-openai-security-annotation branch from 12fb51c to eb35712 Compare July 13, 2026 20:19
@gbhavya07 gbhavya07 requested a review from gnodet July 13, 2026 20:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants