From 8e0d5b51c09248df0b6170dc1607d6729ed7e0c7 Mon Sep 17 00:00:00 2001 From: Junhyeok Lee Date: Thu, 28 Aug 2025 15:01:32 +0900 Subject: [PATCH 1/2] Unify TLS configuration - Introduced TlsConfiguration interface - Defaulted verifyHostname to true - Repurposed Http.verifyHostname as a toggle for backward compatibility --- .../log4j/core/appender/HttpAppender.java | 19 +++++++++-- .../log4j/core/net/ssl/SslConfiguration.java | 9 ++++-- .../core/net/ssl/SslConfigurationFactory.java | 2 +- .../log4j/core/net/ssl/TlsConfiguration.java | 32 +++++++++++++++++++ 4 files changed, 57 insertions(+), 5 deletions(-) create mode 100644 log4j-core/src/main/java/org/apache/logging/log4j/core/net/ssl/TlsConfiguration.java diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/HttpAppender.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/HttpAppender.java index 56d1ffb5e37..9f5ef31e6ae 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/HttpAppender.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/HttpAppender.java @@ -65,7 +65,7 @@ public static class Builder> extends AbstractAppender.Build private SslConfiguration sslConfiguration; @PluginBuilderAttribute - private boolean verifyHostname = true; + private Boolean verifyHostname; @Override public HttpAppender build() { @@ -81,6 +81,14 @@ public HttpAppender build() { return null; // Return null if layout is missing } + if (verifyHostname != null) { + LOGGER.warn("Http#verifyHostname is deprecated. please configure this on the TLS instead."); + } else if (sslConfiguration != null) { + verifyHostname = sslConfiguration.isVerifyHostName(); + } else { + verifyHostname = true; + } + final HttpManager httpManager = new HttpURLConnectionManager( getConfiguration(), getConfiguration().getLoggerContext(), @@ -123,7 +131,13 @@ public SslConfiguration getSslConfiguration() { } public boolean isVerifyHostname() { - return verifyHostname; + if (verifyHostname != null) { + return verifyHostname; + } + if (sslConfiguration != null) { + return sslConfiguration.isVerifyHostName(); + } + return true; } public B setUrl(final URL url) { @@ -156,6 +170,7 @@ public B setSslConfiguration(final SslConfiguration sslConfiguration) { return asBuilder(); } + @Deprecated public B setVerifyHostname(final boolean verifyHostname) { this.verifyHostname = verifyHostname; return asBuilder(); diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/ssl/SslConfiguration.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/ssl/SslConfiguration.java index cb24113bd92..21861c09955 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/ssl/SslConfiguration.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/ssl/SslConfiguration.java @@ -40,7 +40,7 @@ */ @NullMarked @Plugin(name = "Ssl", category = Core.CATEGORY_NAME, printObject = true) -public class SslConfiguration { +public class SslConfiguration implements TlsConfiguration { private static final StatusLogger LOGGER = StatusLogger.getLogger(); @@ -178,7 +178,7 @@ public static SslConfiguration createSSLConfiguration( @PluginElement("KeyStore") final KeyStoreConfiguration keyStoreConfig, @PluginElement("TrustStore") final TrustStoreConfiguration trustStoreConfig) { // @formatter:on - return new SslConfiguration(protocol, false, keyStoreConfig, trustStoreConfig); + return new SslConfiguration(protocol, true, keyStoreConfig, trustStoreConfig); } /** @@ -234,22 +234,27 @@ public boolean equals(final Object obj) { return true; } + @Override public String getProtocol() { return protocol; } + @Override public boolean isVerifyHostName() { return verifyHostName; } + @Override public KeyStoreConfiguration getKeyStoreConfig() { return keyStoreConfig; } + @Override public TrustStoreConfiguration getTrustStoreConfig() { return trustStoreConfig; } + @Override public SSLContext getSslContext() { return sslContext; } diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/ssl/SslConfigurationFactory.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/ssl/SslConfigurationFactory.java index 2da16b886d0..deb11513d97 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/ssl/SslConfigurationFactory.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/ssl/SslConfigurationFactory.java @@ -86,7 +86,7 @@ static SslConfiguration createSslConfiguration(final PropertiesUtil props) { } } if (trustStoreConfiguration != null || keyStoreConfiguration != null) { - final boolean isVerifyHostName = props.getBooleanProperty(verifyHostName, false); + final boolean isVerifyHostName = props.getBooleanProperty(verifyHostName, true); return SslConfiguration.createSSLConfiguration( null, keyStoreConfiguration, trustStoreConfiguration, isVerifyHostName); } diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/net/ssl/TlsConfiguration.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/ssl/TlsConfiguration.java new file mode 100644 index 00000000000..0d013282c49 --- /dev/null +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/net/ssl/TlsConfiguration.java @@ -0,0 +1,32 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to you under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.logging.log4j.core.net.ssl; + +import javax.net.ssl.SSLContext; + +public interface TlsConfiguration { + + String getProtocol(); + + boolean isVerifyHostName(); + + KeyStoreConfiguration getKeyStoreConfig(); + + TrustStoreConfiguration getTrustStoreConfig(); + + SSLContext getSslContext(); +} From 3000e892d412b412e984cdd9bcfb5989009aa22a Mon Sep 17 00:00:00 2001 From: Junhyeok Lee Date: Mon, 8 Sep 2025 12:53:03 +0900 Subject: [PATCH 2/2] Apply feedback from review - Update HttpAppender deprecation warning message - Make isVerifyHostname() simple --- .../logging/log4j/core/appender/HttpAppender.java | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/HttpAppender.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/HttpAppender.java index 9f5ef31e6ae..31e82e65eac 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/HttpAppender.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/appender/HttpAppender.java @@ -82,7 +82,8 @@ public HttpAppender build() { } if (verifyHostname != null) { - LOGGER.warn("Http#verifyHostname is deprecated. please configure this on the TLS instead."); + LOGGER.warn( + "`verifyHostname` attribute of `HttpAppender` is deprecated and ignored. Use a `TlsConfiguration` element to configure this attribute."); } else if (sslConfiguration != null) { verifyHostname = sslConfiguration.isVerifyHostName(); } else { @@ -131,13 +132,7 @@ public SslConfiguration getSslConfiguration() { } public boolean isVerifyHostname() { - if (verifyHostname != null) { - return verifyHostname; - } - if (sslConfiguration != null) { - return sslConfiguration.isVerifyHostName(); - } - return true; + return Boolean.TRUE.equals(this.verifyHostname); } public B setUrl(final URL url) {