Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8213309

Consider adding a hostname verifier like API to the HTTP Client

    XMLWordPrintable

Details

    • Enhancement
    • Resolution: Unresolved
    • P3
    • None
    • 11, 12
    • core-libs

    Description

      There has been a request to add a hostname verifier like API to the HTTP Client, similar to that of HttpsURLConnection.

      Such an API point could be used to effectively by-pass hostname checking when connecting to a "secure" server that does not wish to identify itself, in its certificate, by the hostname in the URL.

      This issue been raised a couple of times so far, namely:

      - http://mail.openjdk.java.net/pipermail/net-dev/2018-November/011899.html
      - https://stackoverflow.com/questions/52859195/using-httpbuilder-api-in-java-11-where-do-you-specify-the-hostnameverifier
      - https://stackoverflow.com/questions/52988677/allow-insecure-https-connection-for-java-jdk-11-httpclient
      - https://stackoverflow.com/questions/52856027/jdk-11-httpclient-throws-no-subject-alternative-dns-name-error

      To date the only known use-case is for testing. Further use-cases will be added here, if / when they are identified.

      FWIW, currently the HTTP Client API deliberately does not provide such an API point, as the implementation sets the URL's hostname in the TLS Server Name Indication ( SNI ) extension when initiating a new connection. In many real-world cases this is sufficient. For testing it may be a little cumbersome to expect the server implementation to use SNI, or identify itself with a Subject Alternative Name ( SAN ).

      Attachments

        Activity

          People

            michaelm Michael McMahon
            chegar Chris Hegarty
            Votes:
            2 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated: