Change TLS Hostname Verifier in Reactive SQL Client default value (do…

… not break)

The update to Vert.x 4.5.4 necessitates adjustments in extensions leveraging the Vert.x TCP client, notably impacting reactive SQL clients. TLS connections now require explicit configuration of hostname verification algorithms.

Previously, in the absence of explicit specification by the protocol, the verification algorithm defaulted to "". Although this default remains unchanged in this commit, a MicroProfile Config limitation (eclipse/microprofile-config#446) highlights that "" is not a valid value in the Quarkus configuration. Consequently, "NONE" has been adopted as an alternative. This enables users to explicitly set the hostname verification algorithm to "NONE" to bypass the verification process.

docs/src/main/asciidoc/amqp-reference.adoc

@@ -448,7 +448,7 @@ public AmqpClientOptions getNamedOptions() {
         .setPemKeyCertOptions(keycert)
         .setPemTrustOptions(trust)
         .addEnabledSaslMechanism("EXTERNAL")
-        .setHostnameVerificationAlgorithm("")
+        .setHostnameVerificationAlgorithm("") // Disables the hostname verification. Defaults is "HTTPS"
         .setConnectTimeout(30000)
         .setReconnectInterval(5000)
         .setContainerId("my-container");

extensions/reactive-datasource/runtime/src/main/java/io/quarkus/reactive/datasource/runtime/DataSourceReactiveRuntimeConfig.java

@@ -111,9 +111,11 @@ public interface DataSourceReactiveRuntimeConfig {
 
     /**
      * The hostname verification algorithm to use in case the server's identity should be checked.
-     * Should be HTTPS, LDAPS or an empty string.
+     * Should be {@code HTTPS}, {@code LDAPS} or {@code NONE}.
+     * {@code NONE} is the default value and disables the verification.
      */
-    Optional<String> hostnameVerificationAlgorithm();
+    @WithDefault("NONE")
+    String hostnameVerificationAlgorithm();
 
     /**
      * The maximum time a connection remains unused in the pool before it is closed.

extensions/reactive-db2-client/runtime/src/main/java/io/quarkus/reactive/db2/client/runtime/DB2PoolRecorder.java

@@ -217,9 +217,11 @@ private DB2ConnectOptions toConnectOptions(String dataSourceName, DataSourceRunt
 
         connectOptions.setReconnectInterval(dataSourceReactiveRuntimeConfig.reconnectInterval().toMillis());
 
-        if (dataSourceReactiveRuntimeConfig.hostnameVerificationAlgorithm().isPresent()) {
-            connectOptions.setHostnameVerificationAlgorithm(
-                    dataSourceReactiveRuntimeConfig.hostnameVerificationAlgorithm().get());
+        var algo = dataSourceReactiveRuntimeConfig.hostnameVerificationAlgorithm();
+        if ("NONE".equalsIgnoreCase(algo)) {
+            connectOptions.setHostnameVerificationAlgorithm("");
+        } else {
+            connectOptions.setHostnameVerificationAlgorithm(algo);
         }
 
         dataSourceReactiveRuntimeConfig.additionalProperties().forEach(connectOptions::addProperty);

extensions/reactive-mssql-client/runtime/src/main/java/io/quarkus/reactive/mssql/client/runtime/MSSQLPoolRecorder.java

@@ -220,9 +220,11 @@ private MSSQLConnectOptions toMSSQLConnectOptions(String dataSourceName, DataSou
         configureJksKeyCertOptions(mssqlConnectOptions, dataSourceReactiveRuntimeConfig.keyCertificateJks());
         configurePfxKeyCertOptions(mssqlConnectOptions, dataSourceReactiveRuntimeConfig.keyCertificatePfx());
 
-        if (dataSourceReactiveRuntimeConfig.hostnameVerificationAlgorithm().isPresent()) {
-            mssqlConnectOptions.setHostnameVerificationAlgorithm(
-                    dataSourceReactiveRuntimeConfig.hostnameVerificationAlgorithm().get());
+        var algo = dataSourceReactiveRuntimeConfig.hostnameVerificationAlgorithm();
+        if ("NONE".equalsIgnoreCase(algo)) {
+            mssqlConnectOptions.setHostnameVerificationAlgorithm("");
+        } else {
+            mssqlConnectOptions.setHostnameVerificationAlgorithm(algo);
         }
 
         dataSourceReactiveRuntimeConfig.additionalProperties().forEach(mssqlConnectOptions::addProperty);

extensions/reactive-mysql-client/runtime/src/main/java/io/quarkus/reactive/mysql/client/runtime/MySQLPoolRecorder.java

@@ -215,8 +215,8 @@ private List<MySQLConnectOptions> toMySQLConnectOptions(String dataSourceName,
                 mysqlConnectOptions.setSslMode(sslMode);
 
                 // If sslMode is verify-identity, we also need a hostname verification algorithm
-                if (sslMode == SslMode.VERIFY_IDENTITY && (!dataSourceReactiveRuntimeConfig.hostnameVerificationAlgorithm()
-                        .isPresent() || "".equals(dataSourceReactiveRuntimeConfig.hostnameVerificationAlgorithm().get()))) {
+                var algo = dataSourceReactiveRuntimeConfig.hostnameVerificationAlgorithm();
+                if ("NONE".equalsIgnoreCase(algo) && sslMode == SslMode.VERIFY_IDENTITY) {
                     throw new IllegalArgumentException(
                             "quarkus.datasource.reactive.hostname-verification-algorithm must be specified under verify-identity sslmode");
                 }
@@ -236,8 +236,12 @@ private List<MySQLConnectOptions> toMySQLConnectOptions(String dataSourceName,
 
             mysqlConnectOptions.setReconnectInterval(dataSourceReactiveRuntimeConfig.reconnectInterval().toMillis());
 
-            dataSourceReactiveRuntimeConfig.hostnameVerificationAlgorithm().ifPresent(
-                    mysqlConnectOptions::setHostnameVerificationAlgorithm);
+            var algo = dataSourceReactiveRuntimeConfig.hostnameVerificationAlgorithm();
+            if ("NONE".equalsIgnoreCase(algo)) {
+                mysqlConnectOptions.setHostnameVerificationAlgorithm("");
+            } else {
+                mysqlConnectOptions.setHostnameVerificationAlgorithm(algo);
+            }
 
             dataSourceReactiveMySQLConfig.authenticationPlugin().ifPresent(mysqlConnectOptions::setAuthenticationPlugin);
 

extensions/reactive-pg-client/runtime/src/main/java/io/quarkus/reactive/pg/client/runtime/PgPoolRecorder.java

@@ -202,10 +202,9 @@ private List<PgConnectOptions> toPgConnectOptions(String dataSourceName, DataSou
                 final SslMode sslMode = dataSourceReactivePostgreSQLConfig.sslMode().get();
                 pgConnectOptions.setSslMode(sslMode);
 
+                var algo = dataSourceReactiveRuntimeConfig.hostnameVerificationAlgorithm();
                 // If sslMode is verify-full, we also need a hostname verification algorithm
-                if (sslMode == SslMode.VERIFY_FULL
-                        && (!dataSourceReactiveRuntimeConfig.hostnameVerificationAlgorithm().isPresent()
-                                || "".equals(dataSourceReactiveRuntimeConfig.hostnameVerificationAlgorithm().get()))) {
+                if ("NONE".equalsIgnoreCase(algo) && sslMode == SslMode.VERIFY_FULL) {
                     throw new IllegalArgumentException(
                             "quarkus.datasource.reactive.hostname-verification-algorithm must be specified under verify-full sslmode");
                 }
@@ -227,8 +226,12 @@ private List<PgConnectOptions> toPgConnectOptions(String dataSourceName, DataSou
 
             pgConnectOptions.setReconnectInterval(dataSourceReactiveRuntimeConfig.reconnectInterval().toMillis());
 
-            dataSourceReactiveRuntimeConfig.hostnameVerificationAlgorithm().ifPresent(
-                    pgConnectOptions::setHostnameVerificationAlgorithm);
+            var algo = dataSourceReactiveRuntimeConfig.hostnameVerificationAlgorithm();
+            if ("NONE".equalsIgnoreCase(algo)) {
+                pgConnectOptions.setHostnameVerificationAlgorithm("");
+            } else {
+                pgConnectOptions.setHostnameVerificationAlgorithm(algo);
+            }
 
             dataSourceReactiveRuntimeConfig.additionalProperties().forEach(pgConnectOptions::addProperty);