HTTPCLIENT-2302: Add comment to TrustStrategy usage in examples (#492)

apache · Oct 12, 2023 · 32ce98d · 32ce98d
1 parent 6105852
commit 32ce98d
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/httpclient5/src/test/java/org/apache/hc/client5/http/examples/AsyncClientCustomSSL.java b/httpclient5/src/test/java/org/apache/hc/client5/http/examples/AsyncClientCustomSSL.java
@@ -59,7 +59,14 @@ public class AsyncClientCustomSSL {
     public static void main(final String[] args) throws Exception {
         // Trust standard CA and those trusted by our custom strategy
         final SSLContext sslContext = SSLContexts.custom()
+                // Custom TrustStrategy implementations are intended for verification
+                // of certificates whose CA is not trusted by the system, and where specifying
+                // a custom truststore containing the certificate chain is not an option.
                 .loadTrustMaterial((chain, authType) -> {
+                    // Please note that validation of the server certificate without validation
+                    // of the entire certificate chain in this example is preferred to completely
+                    // disabling trust verification, however this still potentially allows
+                    // for man-in-the-middle attacks.
                     final X509Certificate cert = chain[0];
                     return "CN=httpbin.org".equalsIgnoreCase(cert.getSubjectDN().getName());
                 })

diff --git a/httpclient5/src/test/java/org/apache/hc/client5/http/examples/ClientCustomSSL.java b/httpclient5/src/test/java/org/apache/hc/client5/http/examples/ClientCustomSSL.java
@@ -55,7 +55,14 @@ public class ClientCustomSSL {
     public final static void main(final String[] args) throws Exception {
         // Trust standard CA and those trusted by our custom strategy
         final SSLContext sslContext = SSLContexts.custom()
+                // Custom TrustStrategy implementations are intended for verification
+                // of certificates whose CA is not trusted by the system, and where specifying
+                // a custom truststore containing the certificate chain is not an option.
                 .loadTrustMaterial((chain, authType) -> {
+                    // Please note that validation of the server certificate without validation
+                    // of the entire certificate chain in this example is preferred to completely
+                    // disabling trust verification, however this still potentially allows
+                    // for man-in-the-middle attacks.
                     final X509Certificate cert = chain[0];
                     return "CN=httpbin.org".equalsIgnoreCase(cert.getSubjectDN().getName());
                 })