From 228316607add7481b1d21cfcd5460e62d586f427 Mon Sep 17 00:00:00 2001
From: yyin-talend <yueyan.yin@qlik.com>
Date: Mon, 8 Dec 2025 18:27:30 +0800
Subject: [PATCH] use safer method to verify certificate

---
 .../talend/sdk/components/vault/client/VaultClientSetup.java  | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/vault-client/src/main/java/org/talend/sdk/components/vault/client/VaultClientSetup.java b/vault-client/src/main/java/org/talend/sdk/components/vault/client/VaultClientSetup.java
index e7d81316552f0..38dcebffc77e5 100644
--- a/vault-client/src/main/java/org/talend/sdk/components/vault/client/VaultClientSetup.java
+++ b/vault-client/src/main/java/org/talend/sdk/components/vault/client/VaultClientSetup.java
@@ -49,6 +49,7 @@
 import javax.ws.rs.client.ClientBuilder;
 import javax.ws.rs.client.WebTarget;
 
+import org.apache.cxf.transport.https.httpclient.DefaultHostnameVerifier;
 import org.eclipse.microprofile.config.inject.ConfigProperty;
 import org.talend.sdk.components.vault.configuration.Documentation;
 
@@ -190,6 +191,7 @@ private ClientBuilder createClient(final ExecutorService executor, final Optiona
             final Optional<String> keystoreType, final String keystorePassword, final Optional<String> truststoreType,
             final List<String> serverHostnames) {
         final ClientBuilder builder = ClientBuilder.newBuilder();
+        final DefaultHostnameVerifier hostnameVerifier = new DefaultHostnameVerifier();
         builder.connectTimeout(connectTimeout, MILLISECONDS);
         builder.readTimeout(readTimeout, MILLISECONDS);
         builder.executorService(executor);
@@ -197,7 +199,7 @@ private ClientBuilder createClient(final ExecutorService executor, final Optiona
             builder.hostnameVerifier((host, session) -> true);
             builder.sslContext(createUnsafeSSLContext());
         } else if (keystoreLocation.isPresent()) {
-            builder.hostnameVerifier((host, session) -> serverHostnames.contains(host));
+            builder.hostnameVerifier(hostnameVerifier);
             builder.sslContext(createSSLContext(keystoreLocation, keystoreType, keystorePassword, truststoreType));
         }
         providers.map(it -> Stream.of(it.split(",")).map(String::trim).filter(v -> !v.isEmpty()).map(fqn -> {