Change default sslmode to strict for security reason

Author: zhicwu

clickhouse-client/src/main/java/com/clickhouse/client/ClickHouseNode.java

@@ -801,7 +801,7 @@ public static ClickHouseNode of(URI uri, ClickHouseNode template) {
         }
         if (protocol != ClickHouseProtocol.POSTGRESQL && scheme.charAt(scheme.length() - 1) == 's') {
             params.put(ClickHouseClientOption.SSL.getKey(), Boolean.TRUE.toString());
-            params.put(ClickHouseClientOption.SSL_MODE.getKey(), ClickHouseSslMode.NONE.name());
+            params.put(ClickHouseClientOption.SSL_MODE.getKey(), ClickHouseSslMode.STRICT.name());
         }
 
         ClickHouseCredentials credentials = template.credentials;

clickhouse-client/src/test/java/com/clickhouse/client/ClickHouseNodeTest.java

@@ -169,7 +169,7 @@ public void testInvalidNodes() {
     public void testValidNodes() {
         Map<String, String> options = new HashMap<>();
         options.put(ClickHouseClientOption.SSL.getKey(), "false");
-        options.put(ClickHouseClientOption.SSL_MODE.getKey(), "NONE");
+        options.put(ClickHouseClientOption.SSL_MODE.getKey(), ClickHouseSslMode.STRICT.name());
         options.put(ClickHouseClientOption.DATABASE.getKey(), "db1");
 
         Set<String> tags = new HashSet<>();
@@ -183,7 +183,7 @@ public void testValidNodes() {
     public void testSecureNode() {
         Map<String, String> options = new HashMap<>();
         options.put(ClickHouseClientOption.SSL.getKey(), "true");
-        options.put(ClickHouseClientOption.SSL_MODE.getKey(), "NONE");
+        options.put(ClickHouseClientOption.SSL_MODE.getKey(), ClickHouseSslMode.STRICT.name());
         options.put(ClickHouseClientOption.DATABASE.getKey(), "db1");
 
         Assert.assertEquals(ClickHouseNode.of("https://node1:443/db1"),
@@ -218,7 +218,7 @@ public void testSingleWordNode() {
     public void testNodeWithProtocol() {
         Map<String, String> options = new HashMap<>();
         options.put(ClickHouseClientOption.SSL.getKey(), "true");
-        options.put(ClickHouseClientOption.SSL_MODE.getKey(), "NONE");
+        options.put(ClickHouseClientOption.SSL_MODE.getKey(), ClickHouseSslMode.STRICT.name());
 
         for (ClickHouseProtocol p : ClickHouseProtocol.values()) {
             Assert.assertEquals(ClickHouseNode.of(p.name() + ":///?#"),
@@ -254,7 +254,7 @@ public void testNodeWithHostAndPort() {
     public void testNodeWithDatabase() {
         Map<String, String> options = new HashMap<>();
         options.put(ClickHouseClientOption.SSL.getKey(), "true");
-        options.put(ClickHouseClientOption.SSL_MODE.getKey(), "NONE");
+        options.put(ClickHouseClientOption.SSL_MODE.getKey(), ClickHouseSslMode.STRICT.name());
 
         Assert.assertEquals(ClickHouseNode.of("grpcs://node1:19100/"),
                 new ClickHouseNode("node1", ClickHouseProtocol.GRPC, 19100, null, options, null));
@@ -324,13 +324,13 @@ public void testNodeWithOptions() {
         Map<String, String> options = new HashMap<>();
         options.put(ClickHouseClientOption.ASYNC.getKey(), "false");
         options.put(ClickHouseClientOption.SSL.getKey(), "true");
-        options.put(ClickHouseClientOption.SSL_MODE.getKey(), "NONE");
+        options.put(ClickHouseClientOption.SSL_MODE.getKey(), ClickHouseSslMode.STRICT.name());
         options.put(ClickHouseClientOption.CONNECTION_TIMEOUT.getKey(), "500");
 
         for (String uri : new String[] {
                 "https://node1?!async&ssl&connect_timeout=500",
-                "http://node1?async=false&ssl=true&sslmode=NONE&connect_timeout=500",
-                "http://node1?&&&&async=false&ssl&&&&&sslmode=NONE&connect_timeout=500&&&",
+                "http://node1?async=false&ssl=true&sslmode=STRICT&connect_timeout=500",
+                "http://node1?&&&&async=false&ssl&&&&&sslmode=STRICT&connect_timeout=500&&&",
         }) {
             Assert.assertEquals(ClickHouseNode.of(uri),
                     new ClickHouseNode("node1", ClickHouseProtocol.HTTP,
@@ -379,7 +379,7 @@ public void testQueryWithSlash() throws Exception {
         Assert.assertEquals(server.toUri(), new URI("http://localhost:1234?/a/b/c=d"));
 
         Assert.assertEquals(ClickHouseNode.of("https://myserver/db/1/2/3?a%20=%201&b=/root/my.crt").toUri(),
-                new URI("http://myserver:8443/db/1/2/3?ssl=true&sslmode=NONE&a%20=%201&b=/root/my.crt"));
+                new URI("http://myserver:8443/db/1/2/3?ssl=true&sslmode=STRICT&a%20=%201&b=/root/my.crt"));
     }
 
     @Test(groups = { "integration" })

clickhouse-client/src/test/java/com/clickhouse/client/ClickHouseNodesTest.java

@@ -13,6 +13,7 @@
 import com.clickhouse.client.ClickHouseNode.Status;
 import com.clickhouse.client.config.ClickHouseClientOption;
 import com.clickhouse.client.config.ClickHouseDefaults;
+import com.clickhouse.client.config.ClickHouseSslMode;
 
 import org.testng.Assert;
 import org.testng.annotations.Test;
@@ -213,7 +214,7 @@ public void testSingleNodeList() {
 
         Map<String, String> options = new HashMap<>();
         options.put(ClickHouseClientOption.SSL.getKey(), "true");
-        options.put(ClickHouseClientOption.SSL_MODE.getKey(), "NONE");
+        options.put(ClickHouseClientOption.SSL_MODE.getKey(), ClickHouseSslMode.STRICT.name());
         options.put(ClickHouseClientOption.DATABASE.getKey(), "db1");
 
         Assert.assertEquals(ClickHouseNodes.of("https://node1:443/db1").nodes.get(0),

clickhouse-jdbc/src/test/java/com/clickhouse/jdbc/internal/ClickHouseJdbcUrlParserTest.java

@@ -69,12 +69,12 @@ public void testParseAbbrevation() throws SQLException, URISyntaxException {
 
         info = ClickHouseJdbcUrlParser.parse("jdbc:ch:https://:letmein@[::1]:3218/db1?user=aaa", null);
         Assert.assertEquals(info.getServer().toUri(ClickHouseJdbcUrlParser.JDBC_CLICKHOUSE_PREFIX),
-                new URI("jdbc:clickhouse:http://[::1]:3218/db1?ssl=true&sslmode=NONE"));
+                new URI("jdbc:clickhouse:http://[::1]:3218/db1?ssl=true&sslmode=STRICT"));
         Assert.assertEquals(info.getServer(), ClickHouseNode.builder().host("[::1]")
                 .port(ClickHouseProtocol.HTTP, 3218)
                 .database("db1")
                 .credentials(ClickHouseCredentials.fromUserAndPassword("aaa", "letmein"))
-                .addOption("ssl", "true").addOption("sslmode", "NONE").build());
+                .addOption("ssl", "true").addOption("sslmode", "STRICT").build());
         Assert.assertEquals(info.getServer().getCredentials().orElse(null),
                 ClickHouseCredentials.fromUserAndPassword("aaa", "letmein"));
     }
@@ -98,13 +98,13 @@ public void testParse() throws SQLException, URISyntaxException {
 
         info = ClickHouseJdbcUrlParser.parse("jdbc:ch:https://:[email protected]:3218/db1", null);
         Assert.assertEquals(info.getServer().toUri(ClickHouseJdbcUrlParser.JDBC_CLICKHOUSE_PREFIX),
-                new URI("jdbc:clickhouse:http://127.0.0.1:3218/db1?ssl=true&sslmode=NONE"));
+                new URI("jdbc:clickhouse:http://127.0.0.1:3218/db1?ssl=true&sslmode=STRICT"));
         Assert.assertEquals(info.getServer(), ClickHouseNode.builder().host("127.0.0.1")
                 .port(ClickHouseProtocol.HTTP, 3218).database("db1")
                 .credentials(ClickHouseCredentials
                         .fromUserAndPassword((String) ClickHouseDefaults.USER
                                 .getEffectiveDefaultValue(), "letmein"))
-                .addOption("ssl", "true").addOption("sslmode", "NONE")
+                .addOption("ssl", "true").addOption("sslmode", "STRICT")
                 .build());
     }