From 228316607add7481b1d21cfcd5460e62d586f427 Mon Sep 17 00:00:00 2001 From: yyin-talend Date: Mon, 8 Dec 2025 18:27:30 +0800 Subject: [PATCH 1/4] use safer method to verify certificate --- .../talend/sdk/components/vault/client/VaultClientSetup.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/vault-client/src/main/java/org/talend/sdk/components/vault/client/VaultClientSetup.java b/vault-client/src/main/java/org/talend/sdk/components/vault/client/VaultClientSetup.java index e7d81316552f0..38dcebffc77e5 100644 --- a/vault-client/src/main/java/org/talend/sdk/components/vault/client/VaultClientSetup.java +++ b/vault-client/src/main/java/org/talend/sdk/components/vault/client/VaultClientSetup.java @@ -49,6 +49,7 @@ import javax.ws.rs.client.ClientBuilder; import javax.ws.rs.client.WebTarget; +import org.apache.cxf.transport.https.httpclient.DefaultHostnameVerifier; import org.eclipse.microprofile.config.inject.ConfigProperty; import org.talend.sdk.components.vault.configuration.Documentation; @@ -190,6 +191,7 @@ private ClientBuilder createClient(final ExecutorService executor, final Optiona final Optional keystoreType, final String keystorePassword, final Optional truststoreType, final List serverHostnames) { final ClientBuilder builder = ClientBuilder.newBuilder(); + final DefaultHostnameVerifier hostnameVerifier = new DefaultHostnameVerifier(); builder.connectTimeout(connectTimeout, MILLISECONDS); builder.readTimeout(readTimeout, MILLISECONDS); builder.executorService(executor); @@ -197,7 +199,7 @@ private ClientBuilder createClient(final ExecutorService executor, final Optiona builder.hostnameVerifier((host, session) -> true); builder.sslContext(createUnsafeSSLContext()); } else if (keystoreLocation.isPresent()) { - builder.hostnameVerifier((host, session) -> serverHostnames.contains(host)); + builder.hostnameVerifier(hostnameVerifier); builder.sslContext(createSSLContext(keystoreLocation, keystoreType, keystorePassword, truststoreType)); } providers.map(it -> Stream.of(it.split(",")).map(String::trim).filter(v -> !v.isEmpty()).map(fqn -> { From 39e312589dbf194679822c9f3d24a51b69378793 Mon Sep 17 00:00:00 2001 From: yyin Date: Fri, 9 Jan 2026 16:35:45 +0800 Subject: [PATCH 2/4] add log --- .../sdk/components/vault/client/VaultClientSetup.java | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/vault-client/src/main/java/org/talend/sdk/components/vault/client/VaultClientSetup.java b/vault-client/src/main/java/org/talend/sdk/components/vault/client/VaultClientSetup.java index 38dcebffc77e5..56163b4e90572 100644 --- a/vault-client/src/main/java/org/talend/sdk/components/vault/client/VaultClientSetup.java +++ b/vault-client/src/main/java/org/talend/sdk/components/vault/client/VaultClientSetup.java @@ -198,9 +198,13 @@ private ClientBuilder createClient(final ExecutorService executor, final Optiona if (acceptAnyCertificate) { builder.hostnameVerifier((host, session) -> true); builder.sslContext(createUnsafeSSLContext()); - } else if (keystoreLocation.isPresent()) { - builder.hostnameVerifier(hostnameVerifier); - builder.sslContext(createSSLContext(keystoreLocation, keystoreType, keystorePassword, truststoreType)); + } else { + if (keystoreLocation.isPresent()) { + builder.hostnameVerifier(hostnameVerifier); + builder.sslContext(createSSLContext(keystoreLocation, keystoreType, keystorePassword, truststoreType)); + } else { + log.warn("Key store location is NOT present. "); + } } providers.map(it -> Stream.of(it.split(",")).map(String::trim).filter(v -> !v.isEmpty()).map(fqn -> { try { From c49d40f57521b45a78dff428627cbbdbab7ded6d Mon Sep 17 00:00:00 2001 From: yyin Date: Fri, 9 Jan 2026 18:36:00 +0800 Subject: [PATCH 3/4] use log.info --- .../talend/sdk/components/vault/client/VaultClientSetup.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/vault-client/src/main/java/org/talend/sdk/components/vault/client/VaultClientSetup.java b/vault-client/src/main/java/org/talend/sdk/components/vault/client/VaultClientSetup.java index 56163b4e90572..e01d023de9760 100644 --- a/vault-client/src/main/java/org/talend/sdk/components/vault/client/VaultClientSetup.java +++ b/vault-client/src/main/java/org/talend/sdk/components/vault/client/VaultClientSetup.java @@ -203,7 +203,9 @@ private ClientBuilder createClient(final ExecutorService executor, final Optiona builder.hostnameVerifier(hostnameVerifier); builder.sslContext(createSSLContext(keystoreLocation, keystoreType, keystorePassword, truststoreType)); } else { - log.warn("Key store location is NOT present. "); + log.info("TCK vault-client doesn't explicitly define the keystore location. You can use" + + "'talend.vault.cache.client.vault.certificate.keystore.location' and " + + "'talend.vault.cache.client.vault.certificate.keystore.type' to explicit it."); } } providers.map(it -> Stream.of(it.split(",")).map(String::trim).filter(v -> !v.isEmpty()).map(fqn -> { From edf76e95c2e139ee89597399a8cedab9db34c8cd Mon Sep 17 00:00:00 2001 From: yyin Date: Fri, 9 Jan 2026 21:12:36 +0800 Subject: [PATCH 4/4] Fix log message for keystore location configuration --- .../talend/sdk/components/vault/client/VaultClientSetup.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/vault-client/src/main/java/org/talend/sdk/components/vault/client/VaultClientSetup.java b/vault-client/src/main/java/org/talend/sdk/components/vault/client/VaultClientSetup.java index e01d023de9760..bcd71898f3b03 100644 --- a/vault-client/src/main/java/org/talend/sdk/components/vault/client/VaultClientSetup.java +++ b/vault-client/src/main/java/org/talend/sdk/components/vault/client/VaultClientSetup.java @@ -203,9 +203,9 @@ private ClientBuilder createClient(final ExecutorService executor, final Optiona builder.hostnameVerifier(hostnameVerifier); builder.sslContext(createSSLContext(keystoreLocation, keystoreType, keystorePassword, truststoreType)); } else { - log.info("TCK vault-client doesn't explicitly define the keystore location. You can use" + + log.info("TCK vault-client doesn't explicitly define the keystore location. Please configure " + "'talend.vault.cache.client.vault.certificate.keystore.location' and " + - "'talend.vault.cache.client.vault.certificate.keystore.type' to explicit it."); + "'talend.vault.cache.client.vault.certificate.keystore.type' to define it explicitly."); } } providers.map(it -> Stream.of(it.split(",")).map(String::trim).filter(v -> !v.isEmpty()).map(fqn -> {