Add security warning to TrustStrategy implementations documentation (#490)

httpclient5/src/main/java/org/apache/hc/client5/http/ssl/TrustAllStrategy.java

@@ -34,9 +34,15 @@ import org.apache.hc.core5.annotation.ThreadingBehavior;
 import org.apache.hc.core5.ssl.TrustStrategy;
 
 /**
- * A trust strategy that accepts all certificates as trusted. Verification of
+ * A trust strategy that accepts all certificates as trusted.
- * all other certificates is done by the trust manager configured in the SSL
+ *
- * context.
+ * <h2>Security Warning</h2>
+ * This trust strategy effectively disables trust verification of SSL / TLS,
+ * and allows man-in-the-middle attacks. If possible avoid this trust strategy
+ * and use more secure alternatives. For example, for self-signed certificates
+ * prefer specifying a keystore containing the certificate chain when calling
+ * the {@link org.apache.hc.core5.ssl.SSLContextBuilder} {@code loadTrustMaterial}
+ * methods.
  *
  * @since 4.5.4
  * @since 5.0

httpclient5/src/main/java/org/apache/hc/client5/http/ssl/TrustSelfSignedStrategy.java

@@ -37,8 +37,18 @@ import org.apache.hc.core5.ssl.TrustStrategy;
  * A trust strategy that accepts self-signed certificates as trusted. Verification of all other
  * certificates is done by the trust manager configured in the SSL context.
  *
+ * <h2>Security Warning</h2>
+ * This acts like {@link TrustAllStrategy}, with the only restriction that the certificate chain
+ * must have length 1. This means this trust strategy does not protect against man-in-the-middle
+ * attacks. See the {@link TrustAllStrategy} for more information and more secure alternatives.
+ *
+ * @deprecated
+ *      For self-signed certificates prefer specifying a keystore containing the certificate when
+ *      calling the {@link org.apache.hc.core5.ssl.SSLContextBuilder} {@code loadTrustMaterial}
+ *      methods.
  * @since 4.1
  */
+@Deprecated
 @Contract(threading = ThreadingBehavior.STATELESS)
 public class TrustSelfSignedStrategy implements TrustStrategy {