FOLIO software libraries and modules currently disable hostname verification by using a NoopHostnameVerifier, which poses a critical security vulnerability. This bypass allows SSL/TLS connections to proceed without verifying the service's identity, increasing the risk of server impersonation by an attacker. The affected libraries and modules do not log the bypass nor terminate the connection when a certificate verification fails, contravening the requirements for secure HTTPS communication as per RFC 9110.

Action Required:

1. Replace the use of NoopHostnameVerifier with a secure hostname verification method that adheres to standard HTTPS certificate validation practices.

2. Remove the suppression of the SonarQube warning "Server hostnames should be verified during SSL/TLS connections" and verify compliance through static code analysis tools.

3. Use jdk.internal.httpclient.disableHostnameVerification system property to disable hostname verification as it is implemented in Java's JDK HttpClient,

HostnameVerifier usage:
https://github.com/folio-org/applications-poc-tools/blob/master/folio-backend-common/src/main/java/org/folio/common/utils/FeignClientTlsUtils.java#L66

https://github.com/folio-org/applications-poc-tools/blob/master/folio-security/src/main/java/org/folio/security/integration/keycloak/utils/ClientBuildUtils.java#L39

https://github.com/folio-org/applications-poc-tools/blob/master/folio-backend-testing/src/main/java/org/folio/test/extensions/impl/KeycloakContainerExtension.java#L110