I have a gremlin server which has SSL enabled and it uses a cert signed by Verisign. Now when I'm setting up my client, I set ssl.enabled to true. But I don't mention any trustCertChain file explicitly. (Verisign Root CA is already bundled with my JRE). However, my logs are flooded with the following, which concerns me:
WARN org.apache.tinkerpop.gremlin.driver.Cluster - SSL configured
without a trustCertChainFile and thus trusts all certificates without
verification (not suitable for production)
Looking into the code a bit, it looks like while creating a cluster, if I'm turning on ssl, then I have to mention a trustCertChainFile, else it assumes that I'm talking to a server that operates with self signed certs, and skips endpoint validation.
Is my understanding right? If yes, why do we enforce this? I am able to talk to the endpoint using curl without having to mention --cacert <cert> as the VeriSign root CA is bundled with the version of curl (and browsers) that I have. I want the same experience when calling from java code. What is the right way for me to make the client process just pick the default JRE truststore for root certificates?
Karthik