Update to Vert.x 4.5.4 and Netty 4.1.107

This update brings significant changes affecting extensions utilizing a (Vert.x) TCP client. With Vert.x version 4.5.4, establishing TLS connections now mandates the use of hostname verification algorithms. This requirement impacts various components including Reactive SQL clients, Redis, RabbitMQ, MQTT, among others. Previously, if not explicitly specified by the protocol, the verification algorithm defaulted to "". This setting essentially skipped the verification process. However, with the new version, explicit configuration is necessary. Consequently, each extension has been adjusted to utilize the most appropriate verification algorithm. It's important to note that these modifications may potentially disrupt existing applications. In such cases, referring to the documentation of the specific extension or component is recommended for proper configuration of the hostname verification algorithm.
cescoffier · Mar 1, 2024 · ee8b09a · ee8b09a
1 parent 7481022
commit ee8b09a
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 10 deletions.
diff --git a/bom/application/pom.xml b/bom/application/pom.xml
@@ -121,7 +121,7 @@
  <wildfly-client-config.version>1.0.1.Final</wildfly-client-config.version>
  <wildfly-elytron.version>2.3.1.Final</wildfly-elytron.version>
  <jboss-threads.version>3.5.1.Final</jboss-threads.version>
- <vertx.version>4.5.3</vertx.version>
+ <vertx.version>4.5.4</vertx.version>
  <httpclient.version>4.5.14</httpclient.version>
  <httpcore.version>4.4.16</httpcore.version>
  <httpasync.version>4.1.5</httpasync.version>
@@ -144,7 +144,7 @@
  <infinispan.version>14.0.25.Final</infinispan.version>
  <infinispan.protostream.version>4.6.5.Final</infinispan.protostream.version>
  <caffeine.version>3.1.5</caffeine.version>
- <netty.version>4.1.106.Final</netty.version>
+ <netty.version>4.1.107.Final</netty.version>
  <brotli4j.version>1.14.0</brotli4j.version>
  <reactive-streams.version>1.0.4</reactive-streams.version>
  <jboss-logging.version>3.5.3.Final</jboss-logging.version>

diff --git a/docs/src/main/asciidoc/redis-reference.adoc b/docs/src/main/asciidoc/redis-reference.adoc
@@ -225,6 +225,8 @@ To use TLS, you need to:
 1. Set the `quarkus.redis.tls.enabled=true` property
 2. Make sure that your URL starts with `rediss://` (with two `s`)
 
+IMPORTANT: The default hostname verifier is set to `NONE`, meaning it does not verify the host name. You can change this behavior by setting the `quarkus.redis.tls.hostname-verification-algorithm` property, to `HTTPS` for example.
+
 === Configure the authentication
 
 The Redis password can be set in the `redis://` URL or with the `quarkus.redis.password` property.

diff --git a/...client/runtime/src/main/java/io/quarkus/redis/runtime/client/VertxRedisClientFactory.java b/...client/runtime/src/main/java/io/quarkus/redis/runtime/client/VertxRedisClientFactory.java
@@ -116,7 +116,14 @@ private static NetClientOptions toNetClientOptions(RedisClientConfig config) {
  tcp.alpn().ifPresent(net::setUseAlpn);
  tcp.applicationLayerProtocols().ifPresent(net::setApplicationLayerProtocols);
  tcp.connectionTimeout().ifPresent(d -> net.setConnectTimeout((int) d.toMillis()));
- tls.hostnameVerificationAlgorithm().ifPresent(net::setHostnameVerificationAlgorithm);
+
+ String verificationAlgorithm = tls.hostnameVerificationAlgorithm();
+ if ("NONE".equalsIgnoreCase(verificationAlgorithm)) {
+ net.setHostnameVerificationAlgorithm("");
+ } else {
+ net.setHostnameVerificationAlgorithm(verificationAlgorithm);
+ }
+
  tcp.idleTimeout().ifPresent(d -> net.setIdleTimeout((int) d.toSeconds()));
 
  tcp.keepAlive().ifPresent(b -> net.setTcpKeepAlive(true));
@@ -163,8 +170,6 @@ private static NetClientOptions toNetClientOptions(RedisClientConfig config) {
  tcp.quickAck().ifPresent(net::setTcpQuickAck);
  tcp.writeIdleTimeout().ifPresent(d -> net.setWriteIdleTimeout((int) d.toSeconds()));
 
- tls.hostnameVerificationAlgorithm().ifPresent(net::setHostnameVerificationAlgorithm);
-
  return net;
  }
 

diff --git a/.../redis-client/runtime/src/main/java/io/quarkus/redis/runtime/client/config/TlsConfig.java b/.../redis-client/runtime/src/main/java/io/quarkus/redis/runtime/client/config/TlsConfig.java
@@ -1,7 +1,5 @@
 package io.quarkus.redis.runtime.client.config;
 
-import java.util.Optional;
-
 import io.quarkus.runtime.annotations.ConfigGroup;
 import io.quarkus.vertx.core.runtime.config.JksConfiguration;
 import io.quarkus.vertx.core.runtime.config.PemKeyCertConfiguration;
@@ -68,8 +66,12 @@ public interface TlsConfig {
 
  /**
  * The hostname verification algorithm to use in case the server's identity should be checked.
- * Should be HTTPS, LDAPS or an empty string.
+ * Should be {@code HTTPS}, {@code LDAPS} or an {@code NONE} (default).
+ * <p>
+ * If set to {@code NONE}, it does not verify the hostname.
+ * <p>
  */
- Optional<String> hostnameVerificationAlgorithm();
+ @WithDefault("NONE")
+ String hostnameVerificationAlgorithm();
 
 }
diff --git a/independent-projects/resteasy-reactive/pom.xml b/independent-projects/resteasy-reactive/pom.xml
@@ -61,7 +61,7 @@
  <version.surefire.plugin>3.2.5</version.surefire.plugin>
  <mutiny.version>2.5.7</mutiny.version>
  <smallrye-common.version>2.3.0</smallrye-common.version>
- <vertx.version>4.5.3</vertx.version>
+ <vertx.version>4.5.4</vertx.version>
  <rest-assured.version>5.4.0</rest-assured.version>
  <commons-logging-jboss-logging.version>1.0.0.Final</commons-logging-jboss-logging.version>
  <jackson-bom.version>2.16.1</jackson-bom.version>