From ac9bcebb901a06a4ddcbdac70414a040f20de06a Mon Sep 17 00:00:00 2001 From: Roland Kuhn Date: Tue, 24 Nov 2015 10:22:56 +0100 Subject: [PATCH] add insecure HTTPS client warning for Scala --- akka-docs-dev/rst/scala/http/client-side/https-support.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/akka-docs-dev/rst/scala/http/client-side/https-support.rst b/akka-docs-dev/rst/scala/http/client-side/https-support.rst index 31bd9eef9c..5e155f7c87 100644 --- a/akka-docs-dev/rst/scala/http/client-side/https-support.rst +++ b/akka-docs-dev/rst/scala/http/client-side/https-support.rst @@ -5,6 +5,11 @@ Client-Side HTTPS Support Akka HTTP supports TLS encryption on the client-side as well as on the :ref:`server-side `. +.. warning: + + Akka HTTP 1.0 does not completely validate certificates when using HTTPS. Please do not treat HTTPS connections + made with this version as secure. Requests are vulnerable to a Man-In-The-Middle attack via certificate substitution. + The central vehicle for configuring encryption is the ``HttpsContext``, which is defined as such: .. includecode2:: /../../akka-http-core/src/main/scala/akka/http/scaladsl/Http.scala