Enabling hostname verification by default

Since introduction of the setting 'verifyHost' the hostname
verification was disabled by default for the resteasy-reactive-client,
as the default value for boolean (primitive) is false.

This disabled default makes the reactive client vulnerable to MITM
attacks. In the meantime setting the config explicitly is a workaround
e.g. with 'quarkus.rest-client.verify-host=true'.

This change now adds a proper default both in the configuration and
for the field in the reactive client builder implementation.

Add test case for enabled host verification default

(cherry picked from commit 18f6f4c)

extensions/resteasy-classic/rest-client-config/runtime/src/main/java/io/quarkus/restclient/config/RestClientConfig.java

@@ -139,7 +139,8 @@ public class RestClientConfig {
     public Optional<QueryParamStyle> queryParamStyle;
 
     /**
-     * Set whether hostname verification is enabled.
+     * Set whether hostname verification is enabled. Default is enabled.
+     * This setting should not be disabled in production as it makes the client vulnerable to MITM attacks.
      */
     @ConfigItem
     public Optional<Boolean> verifyHost;

extensions/resteasy-classic/rest-client-config/runtime/src/main/java/io/quarkus/restclient/config/RestClientsConfig.java

@@ -227,7 +227,8 @@ public class RestClientsConfig {
     public Optional<QueryParamStyle> queryParamStyle;
 
     /**
-     * Set whether hostname verification is enabled.
+     * Set whether hostname verification is enabled. Default is enabled.
+     * This setting should not be disabled in production as it makes the client vulnerable to MITM attacks.
      *
      * Can be overwritten by client-specific settings.
      */

independent-projects/resteasy-reactive/client/runtime/src/main/java/org/jboss/resteasy/reactive/client/impl/ClientBuilderImpl.java

@@ -66,7 +66,7 @@ public class ClientBuilderImpl extends ClientBuilder {
 
     private boolean followRedirects;
     private boolean trustAll;
-    private boolean verifyHost;
+    private boolean verifyHost = true;
 
     private LoggingScope loggingScope;
     private Integer loggingBodySize = 100;

integration-tests/rest-client-reactive/src/main/java/io/quarkus/it/rest/client/main/ClientCallingResource.java

@@ -23,6 +23,7 @@
 import io.quarkus.it.rest.client.main.MyResponseExceptionMapper.MyException;
 import io.quarkus.it.rest.client.main.selfsigned.ExternalSelfSignedClient;
 import io.quarkus.it.rest.client.main.wronghost.WrongHostClient;
+import io.quarkus.it.rest.client.main.wronghost.WrongHostRejectedClient;
 import io.smallrye.mutiny.Uni;
 import io.vertx.core.Future;
 import io.vertx.core.json.Json;
@@ -52,6 +53,9 @@ public class ClientCallingResource {
     @RestClient
     WrongHostClient wrongHostClient;
 
+    @RestClient
+    WrongHostRejectedClient wrongHostRejectedClient;
+
     @Inject
     InMemorySpanExporter inMemorySpanExporter;
 
@@ -198,6 +202,15 @@ void init(@Observes Router router) {
 
         router.get("/wrong-host").blockingHandler(
                 rc -> rc.response().setStatusCode(200).end(String.valueOf(wrongHostClient.invoke().getStatus())));
+
+        router.get("/wrong-host-rejected").blockingHandler(rc -> {
+            try {
+                int result = wrongHostRejectedClient.invoke().getStatus();
+                rc.response().setStatusCode(200).end(String.valueOf(result));
+            } catch (Exception e) {
+                rc.response().setStatusCode(500).end(e.getCause().getClass().getSimpleName());
+            }
+        });
     }
 
     private Future<Void> success(RoutingContext rc, String body) {

integration-tests/rest-client-reactive/src/main/java/io/quarkus/it/rest/client/main/wronghost/WrongHostRejectedClient.java

@@ -0,0 +1,16 @@
+package io.quarkus.it.rest.client.main.wronghost;
+
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Produces;
+import jakarta.ws.rs.core.MediaType;
+import jakarta.ws.rs.core.Response;
+
+import org.eclipse.microprofile.rest.client.inject.RegisterRestClient;
+
+@RegisterRestClient(baseUri = "https://wrong.host.badssl.com/", configKey = "wrong-host-rejected")
+public interface WrongHostRejectedClient {
+
+    @GET
+    @Produces(MediaType.TEXT_PLAIN)
+    Response invoke();
+}

integration-tests/rest-client-reactive/src/main/resources/application.properties

@@ -5,7 +5,10 @@ io.quarkus.it.rest.client.multipart.MultipartClient/mp-rest/url=${test.url}
 # Self-Signed client
 quarkus.rest-client.self-signed.trust-store=${self-signed.trust-store}
 quarkus.rest-client.self-signed.trust-store-password=${self-signed.trust-store-password}
-# Wrong Host client
+# Wrong Host client (connection accepted, as host verification is turned off)
 quarkus.rest-client.wrong-host.trust-store=${wrong-host.trust-store}
 quarkus.rest-client.wrong-host.trust-store-password=${wrong-host.trust-store-password}
 quarkus.rest-client.wrong-host.verify-host=false
+# Wrong Host client verified (connection rejected, as host verification is turned on by default)
+quarkus.rest-client.wrong-host-rejected.trust-store=${wrong-host.trust-store}
+quarkus.rest-client.wrong-host-rejected.trust-store-password=${wrong-host.trust-store-password}

integration-tests/rest-client-reactive/src/test/java/io/quarkus/it/rest/client/wronghost/ExternalWrongHostTestCase.java

@@ -1,6 +1,7 @@
 package io.quarkus.it.rest.client.wronghost;
 
 import static io.restassured.RestAssured.when;
+import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.is;
 
 import org.junit.jupiter.api.Test;
@@ -17,4 +18,13 @@ public void restClient() {
                 .statusCode(200)
                 .body(is("200"));
     }
+
+    @Test
+    public void restClientRejected() {
+        when()
+                .get("/wrong-host-rejected")
+                .then()
+                .statusCode(500)
+                .body(containsString("SSLHandshakeException"));
+    }
 }