BREAKING: ssl_certificate_verification => true uses deprecated verifier since v4.17.0

Question

BREAKING: ssl_certificate_verification => true uses deprecated verifier since v4.17.0

Closed this issue a year ago · 0 comments

Logstash information:

Please include the following information:

Logstash version (e.g. bin/logstash --version): 8.8

Description of the problem including expected versus actual behavior:

Before the SSL standardization, when this plugin was initialized with the now-deprecated ssl_certificate_verification => true, it provided no :verify ssl option to manticore, resulting in Manticore using DefaultHostnameVerifier.

With the SSL standardization in #1118 ssl_certificate_verification => true results in manticore getting :verify => :strict, which causes it to use a StrictHostnameVerifier.

  ssl_certificate_verification => false -> ssl_options[:verify]=`:disable` -> `NoopHostnameVerifier`
- ssl_certificate_verification => true -> ssl_options[:verify] unset -> `DefaultHostnameVerifier`
+ ssl_certificate_verification => true -> ssl_options[:verify]=`:strict` -> `StrictHostnameVerifier`

The StrictHostnameVerifier in the Apache Client lib is deprecated with guidance to use DefaultHostNameVerifier (which is the modern rfc2818-aware implementation):

/**
 * The Strict HostnameVerifier works the same way as Sun Java 1.4, Sun
[...]
 *
 * @deprecated (4.4) Use {@link org.apache.http.conn.ssl.DefaultHostnameVerifier}
 */
@Contract(threading = ThreadingBehavior.IMMUTABLE)
@Deprecated
public class StrictHostnameVerifier extends AbstractVerifier {

-- StrictHostnameVerifier@4.5.x

Relevant portion of the diff is here.