Summary
Between 4.4.x and 4.5.0, Phase4PeppolHttpClientSettings() silently stopped installing a trust-all SSLContext by default. This change is not called out in the 4.5.0 release notes.
Change
Commit 16aaa25 ("Updated Peppol Http client settings to allow TLS 1.3 as well") removes this block from the constructor:
final SSLContext aSSLContext = SSLContext.getInstance(ETLSVersion.TLS_12.getID());
// But we're basically trusting all hosts - the exact list is hard to determine
aSSLContext.init(null, new TrustManager[] { new TrustManagerTrustAll(false) }, null);
setSSLContext(aSSLContext);The constructor now only sets TLS mode + revocation, so HttpClientFactory falls back to the JVM default truststore (cacerts).
Impact
Any caller relying on the implicit trust-all to reach an AP whose TLS cert isn't in cacerts now fails with:
javax.net.ssl.SSLHandshakeException: PKIX path building failed:
unable to find valid certification path to requested target
Typical cases: local/integration tests with self-signed APs, internal deployments using corporate CAs.
Release notes coverage
The 4.5.0 changelog only mentions:
- "AP and SMP connections can now be done with TLS 1.3 and TLS 1.2 by default"
- "SMP signing certificates are now checked for revocation by default"
Neither entry conveys that AP TLS trust is now strictly enforced. The commit message ("allow TLS 1.3 as well") doesn't reflect the TrustManagerTrustAll removal either.
Suggestion
Either document this as a breaking change in the release notes, or expose a documented helper (e.g. setSSLContextTrustAll() recommendation, or a setSSLContextPeppolDefault() loading the Peppol AP CA truststore for TLS).
Tightening the default is a sensible security improvement — just easy to miss given the trust-all had been the default for a long time.
Versions
- Last working: 4.4.x
- First broken: 4.5.0
- Component:
phase4-profile-peppol / Phase4PeppolHttpClientSettings
Thanks!
Summary
Between 4.4.x and 4.5.0,
Phase4PeppolHttpClientSettings()silently stopped installing a trust-allSSLContextby default. This change is not called out in the 4.5.0 release notes.Change
Commit 16aaa25 ("Updated Peppol Http client settings to allow TLS 1.3 as well") removes this block from the constructor:
The constructor now only sets TLS mode + revocation, so
HttpClientFactoryfalls back to the JVM default truststore (cacerts).Impact
Any caller relying on the implicit trust-all to reach an AP whose TLS cert isn't in
cacertsnow fails with:Typical cases: local/integration tests with self-signed APs, internal deployments using corporate CAs.
Release notes coverage
The 4.5.0 changelog only mentions:
Neither entry conveys that AP TLS trust is now strictly enforced. The commit message ("allow TLS 1.3 as well") doesn't reflect the
TrustManagerTrustAllremoval either.Suggestion
Either document this as a breaking change in the release notes, or expose a documented helper (e.g.
setSSLContextTrustAll()recommendation, or asetSSLContextPeppolDefault()loading the Peppol AP CA truststore for TLS).Tightening the default is a sensible security improvement — just easy to miss given the trust-all had been the default for a long time.
Versions
phase4-profile-peppol/Phase4PeppolHttpClientSettingsThanks!