GH-5723: Refine SSL trust all configuration for http client builder

RDF4JHttpClientConfig
  - Added disableHostnameVerification boolean field (default false),
getter, and builder method with security-warning Javadoc.

  ApacheHC5RDF4JHttpClientFactory
  - Added javax.net.ssl.SSLContext and NoopHostnameVerifier imports.
  - The TLS strategy block now covers both cases: if
disableHostnameVerification is true, NoopHostnameVerifier.INSTANCE is
passed to DefaultClientTlsStrategy; if only a custom SSLContext is set,
the default verifier is used. If neither flag applies, no custom
strategy
  is set.

  JdkRDF4JHttpClientFactory
  - Added javax.net.ssl.SSLParameters import.
  - When disableHostnameVerification is true, sets
endpointIdentificationAlgorithm to null via SSLParameters, which is the
JDK way to disable hostname checking.

  HttpClientBuilders.getSslTrustAllConfig()
  - Now calls .disableHostnameVerification(true) so the returned config
disables both certificate validation and hostname verification, matching
the "trust all" contract.
  - Updated Javadoc to accurately describe what the method does (both
checks suppressed) and to include the production warning.

Author: aschwarte10

core/http/client-apache5/src/main/java/org/eclipse/rdf4j/http/client/apache5/ApacheHC5RDF4JHttpClientFactory.java

@@ -15,6 +15,8 @@
 import java.util.List;
 import java.util.stream.Collectors;
 
+import javax.net.ssl.SSLContext;
+
 import org.apache.hc.client5.http.HttpRequestRetryStrategy;
 import org.apache.hc.client5.http.config.ConnectionConfig;
 import org.apache.hc.client5.http.config.RequestConfig;
@@ -26,6 +28,7 @@
 import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager;
 import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManagerBuilder;
 import org.apache.hc.client5.http.ssl.DefaultClientTlsStrategy;
+import org.apache.hc.client5.http.ssl.NoopHostnameVerifier;
 import org.apache.hc.core5.http.ConnectionClosedException;
 import org.apache.hc.core5.http.HttpRequest;
 import org.apache.hc.core5.http.HttpResponse;
@@ -87,8 +90,19 @@ public RDF4JHttpClient create(RDF4JHttpClientConfig config) {
 						.setConnectTimeout(Timeout.ofMilliseconds(config.getConnectTimeoutMs()))
 						.build());
 
-		if (config.getSslContext().isPresent()) {
-			cmBuilder.setTlsSocketStrategy(new DefaultClientTlsStrategy(config.getSslContext().get()));
+		if (config.getSslContext().isPresent() || config.isDisableHostnameVerification()) {
+			SSLContext sslContext = config.getSslContext().orElseGet(() -> {
+				try {
+					return SSLContext.getDefault();
+				} catch (java.security.NoSuchAlgorithmException e) {
+					throw new RuntimeException(e);
+				}
+			});
+			if (config.isDisableHostnameVerification()) {
+				cmBuilder.setTlsSocketStrategy(new DefaultClientTlsStrategy(sslContext, NoopHostnameVerifier.INSTANCE));
+			} else {
+				cmBuilder.setTlsSocketStrategy(new DefaultClientTlsStrategy(sslContext));
+			}
 		}
 
 		PoolingHttpClientConnectionManager connectionManager = cmBuilder.build();

core/http/client-api/src/main/java/org/eclipse/rdf4j/http/client/spi/RDF4JHttpClientConfig.java

@@ -47,6 +47,7 @@ public final class RDF4JHttpClientConfig {
 	private final boolean followRedirects;
 	private final long idleConnectionTimeoutMs;
 	private final SSLContext sslContext;
+	private final boolean disableHostnameVerification;
 	private final List<HttpHeader> defaultHeaders;
 
 	private RDF4JHttpClientConfig(Builder builder) {
@@ -59,6 +60,7 @@ private RDF4JHttpClientConfig(Builder builder) {
 		this.followRedirects = builder.followRedirects;
 		this.idleConnectionTimeoutMs = builder.idleConnectionTimeoutMs;
 		this.sslContext = builder.sslContext;
+		this.disableHostnameVerification = builder.disableHostnameVerification;
 		this.defaultHeaders = List.copyOf(builder.defaultHeaders);
 	}
 
@@ -147,6 +149,20 @@ public Optional<SSLContext> getSslContext() {
 		return Optional.ofNullable(sslContext);
 	}
 
+	/**
+	 * Returns whether TLS hostname verification is disabled. When {@code true}, the client will accept certificates
+	 * even if the hostname does not match the certificate's CN/SAN fields.
+	 *
+	 * <p>
+	 * <strong>Warning:</strong> disabling hostname verification removes an important security check. Only use this in
+	 * controlled environments (e.g. testing against self-signed certificates).
+	 *
+	 * @return {@code true} if hostname verification is disabled, {@code false} otherwise
+	 */
+	public boolean isDisableHostnameVerification() {
+		return disableHostnameVerification;
+	}
+
 	/**
 	 * Returns the default HTTP headers to be sent with every request.
 	 *
@@ -189,6 +205,7 @@ public static Builder newBuilder() {
 	 * <li>{@code followRedirects} = {@code true}</li>
 	 * <li>{@code idleConnectionTimeoutMs} = 300,000 ms (5 minutes)</li>
 	 * <li>{@code sslContext} = none (uses JVM default)</li>
+	 * <li>{@code disableHostnameVerification} = {@code false}</li>
 	 * </ul>
 	 */
 	public static final class Builder {
@@ -201,6 +218,7 @@ public static final class Builder {
 		private boolean followRedirects = true;
 		private long idleConnectionTimeoutMs = 300_000L;
 		private SSLContext sslContext;
+		private boolean disableHostnameVerification = false;
 		private List<HttpHeader> defaultHeaders = List.of();
 
 		private Builder() {
@@ -307,6 +325,22 @@ public Builder sslContext(SSLContext sslContext) {
 			return this;
 		}
 
+		/**
+		 * Disables TLS hostname verification. When set to {@code true}, the client will accept certificates even if the
+		 * hostname does not match the certificate's CN/SAN fields.
+		 *
+		 * <p>
+		 * <strong>Warning:</strong> disabling hostname verification removes an important security check. Only use this
+		 * in controlled environments (e.g. testing against self-signed certificates with hostname mismatches).
+		 *
+		 * @param disableHostnameVerification {@code true} to disable hostname verification
+		 * @return this builder
+		 */
+		public Builder disableHostnameVerification(boolean disableHostnameVerification) {
+			this.disableHostnameVerification = disableHostnameVerification;
+			return this;
+		}
+
 		/**
 		 * Sets the default HTTP headers to be sent with every request.
 		 *

core/http/client-jdk/src/main/java/org/eclipse/rdf4j/http/client/jdk/JdkRDF4JHttpClientFactory.java

@@ -16,6 +16,8 @@
 import java.net.http.HttpClient;
 import java.time.Duration;
 
+import javax.net.ssl.SSLParameters;
+
 import org.eclipse.rdf4j.http.client.spi.RDF4JHttpClient;
 import org.eclipse.rdf4j.http.client.spi.RDF4JHttpClientConfig;
 import org.eclipse.rdf4j.http.client.spi.RDF4JHttpClientFactory;
@@ -46,6 +48,12 @@ public RDF4JHttpClient create(RDF4JHttpClientConfig config) {
 
 		config.getSslContext().ifPresent(builder::sslContext);
 
+		if (config.isDisableHostnameVerification()) {
+			SSLParameters sslParameters = new SSLParameters();
+			sslParameters.setEndpointIdentificationAlgorithm(null);
+			builder.sslParameters(sslParameters);
+		}
+
 		builder.authenticator(new Authenticator() {
 			@Override
 			protected PasswordAuthentication getPasswordAuthentication() {

core/http/client/src/main/java/org/eclipse/rdf4j/http/client/util/HttpClientBuilders.java

@@ -30,8 +30,15 @@
 public class HttpClientBuilders {
 
 	/**
-	 * Return an {@link RDF4JHttpClientConfig} configured to trust all SSL certificates, including self-signed
-	 * certificates.
+	 * Return an {@link RDF4JHttpClientConfig} configured to trust all SSL certificates and skip hostname verification.
+	 *
+	 * <p>
+	 * This installs a no-op {@link javax.net.ssl.TrustManager} that accepts any certificate chain, and disables TLS
+	 * endpoint identification so that hostname mismatches are also accepted. Both checks are suppressed, making this
+	 * suitable for self-signed certificates in controlled/test environments.
+	 *
+	 * <p>
+	 * <strong>Warning:</strong> this configuration is inherently insecure and must never be used in production.
 	 *
 	 * @return an {@link RDF4JHttpClientConfig} for <i>SSL trust all</i>
 	 */
@@ -52,7 +59,7 @@ public X509Certificate[] getAcceptedIssuers() {
 					return new X509Certificate[0];
 				}
 			} }, null);
-			return RDF4JHttpClientConfig.newBuilder().sslContext(sslContext).build();
+			return RDF4JHttpClientConfig.newBuilder().sslContext(sslContext).disableHostnameVerification(true).build();
 		} catch (NoSuchAlgorithmException | KeyManagementException e) {
 			throw new RuntimeException(e);
 		}