HttpClient setTrustAllCertificates(true) not working as expected

[dawidg-doyen]

Hi

When developing Tsunami scanner plugins/detectors I came across an issue with insecure SSL certificates. Despite configuring an http client to trust all certificates with:

this.httpClient = checkNotNull(httpClient).modify().setTrustAllCertificates(true).build();

The detector still fails with javax.net.ssl.SSLHandshakeException exception when
it comes across a web server with an insecure certificate. So this option does not seem to be working as expected.

To get around this issue I had to run Tsunami scanner with the:
--http-client-trust-all-certificate
option.

This can result in some false negative findings / missed targets if a user doesn't run the scanner with this option specifically.

Thanks
Dawid

[maoning]

I got the full context after reviewing the k8s open access pull request. Yes, this is indeed a bug. To keep it simple, I will remove the option to modify setTrustAllCertificates from the client (client was never set up to support the on-the-fly modification of this option), and set setTrustAllCertificates to true by default. The option will still available at the top level, so that users can turn it off via --http-client-trust-all-certificate flag.

[JamesFoxxx]

This was annoying for me too, could you please prioritize this issue?

[tooryx]

This should now be fixed