Skip to content

BREAKING: ssl_certificate_verification => true uses deprecated verifier since v11.14.0 #1138

New issue
New issue
Closed
#1139
Closed
BREAKING: ssl_certificate_verification => true uses deprecated verifier since v11.14.0#1138
#1139
Assignees
yaauie
Labels
bug
@yaauie

Description

@yaauie
yaauie
opened on May 30, 2023

Logstash information:

Please include the following information:

  1. Logstash version (e.g. bin/logstash --version): 8.8

Description of the problem including expected versus actual behavior:

Before the SSL standardization, when this plugin was initialized with the now-deprecated ssl_certificate_verification => true, it provided no :verify ssl option to manticore, resulting in Manticore using DefaultHostnameVerifier.

With the SSL standardization in #1118 ssl_certificate_verification => true results in manticore getting :verify => :strict, which causes it to use a StrictHostnameVerifier.

  ssl_certificate_verification => false -> ssl_options[:verify]=`:disable` -> `NoopHostnameVerifier`
- ssl_certificate_verification => true -> ssl_options[:verify] unset -> `DefaultHostnameVerifier`
+ ssl_certificate_verification => true -> ssl_options[:verify]=`:strict` -> `StrictHostnameVerifier`

The StrictHostnameVerifier in the Apache Client lib is deprecated with guidance to use DefaultHostNameVerifier (which is the modern rfc2818-aware implementation):

/**
 * The Strict HostnameVerifier works the same way as Sun Java 1.4, Sun
[...]
 *
 * @deprecated (4.4) Use {@link org.apache.http.conn.ssl.DefaultHostnameVerifier}
 */
@Contract(threading = ThreadingBehavior.IMMUTABLE)
@Deprecated
public class StrictHostnameVerifier extends AbstractVerifier {

-- [email protected]

Relevant portion of the diff is here.

Metadata

Metadata

Assignees

Labels

bug

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions