unwanted and unused :trust-all parameter at aws-api http-client #203
Assignees
Comments
|
This is merged to main and will be part of the next release, today or Monday |
|
Released in version com.cognitect.aws/api-0.8.575 |
dchelimsky
pushed a commit
that referenced
this issue
Jul 26, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This line of code, that already has a
TODO: fixcomment, pass a:trust-allparameter tocognitect.http-client/create-clienthttps://github.com/cognitect-labs/aws-api/blob/v0.8.539/src/cognitect/aws/http/cognitect.clj
I can't add a reference to cognitect http-client, but in version
1.0.110, that is the one that I'm using, the only usage of thistrust-allparameter looks like this:(SslContextFactory. false) #_(boolean trust-all)So this trust-all is not used at this version of http-client, but for ones using older/others versions of
cognitect.http-client, it will be a security issue.Can we remove this unused parameter?
As far I know, it is not desired to use options like this in prod scenarios.
[reference to SslContextFactory]
https://github.com/eclipse/jetty.project/blob/jetty-9.4.x/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L208
The text was updated successfully, but these errors were encountered: