JLLeitschuh
commented
5 years ago I 100% recommend adding a method like the following as simpleSecure(). (Mine is written in Kotlin, obvious this would be translated to Java)
private fun defaultSSLEngineForClient(): Func1<ByteBufAllocator, SSLEngine> {
val clientProvider = SslContext.defaultClientProvider()
val context = SslContextBuilder.forClient().sslProvider(clientProvider).build()
return Func1 { buff -> context.newEngine(buff) }
}
Insecure example code leads to insecure production code
By offering "working" code that is insecure by default, you are inherently suggesting that users use insecure coding practices by default.
For example, the samples recommend the use of
unsafeSecure().This is itself a security risk to the users of a library.