From 401dbdee9c3f793d938bbe60d85fda55558325f8 Mon Sep 17 00:00:00 2001 From: Roland Kuhn Date: Tue, 24 Nov 2015 10:23:20 +0100 Subject: [PATCH] add insecure HTTPS client warning for Java --- akka-docs-dev/rst/java/http/client-side/https-support.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/akka-docs-dev/rst/java/http/client-side/https-support.rst b/akka-docs-dev/rst/java/http/client-side/https-support.rst index af38437fbf..68f392810b 100644 --- a/akka-docs-dev/rst/java/http/client-side/https-support.rst +++ b/akka-docs-dev/rst/java/http/client-side/https-support.rst @@ -5,6 +5,11 @@ Client-Side HTTPS Support Akka HTTP supports TLS encryption on the client-side as well as on the :ref:`server-side `. +.. warning: + + Akka HTTP 1.0 does not completely validate certificates when using HTTPS. Please do not treat HTTPS connections + made with this version as secure. Requests are vulnerable to a Man-In-The-Middle attack via certificate substitution. + The central vehicle for configuring encryption is the ``HttpsContext``, which can be created using the static method ``HttpsContext.create`` which is defined like this: