Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8213309

Consider adding a hostname verifier like API to the HTTP Client


    • Type: Enhancement
    • Status: Open
    • Priority: P3
    • Resolution: Unresolved
    • Affects Version/s: 11, 12
    • Fix Version/s: None
    • Component/s: core-libs


      There has been a request to add a hostname verifier like API to the HTTP Client, similar to that of HttpsURLConnection.

      Such an API point could be used to effectively by-pass hostname checking when connecting to a "secure" server that does not wish to identify itself, in its certificate, by the hostname in the URL.

      This issue been raised a couple of times so far, namely:

      - http://mail.openjdk.java.net/pipermail/net-dev/2018-November/011899.html
      - https://stackoverflow.com/questions/52859195/using-httpbuilder-api-in-java-11-where-do-you-specify-the-hostnameverifier
      - https://stackoverflow.com/questions/52988677/allow-insecure-https-connection-for-java-jdk-11-httpclient
      - https://stackoverflow.com/questions/52856027/jdk-11-httpclient-throws-no-subject-alternative-dns-name-error

      To date the only known use-case is for testing. Further use-cases will be added here, if / when they are identified.

      FWIW, currently the HTTP Client API deliberately does not provide such an API point, as the implementation sets the URL's hostname in the TLS Server Name Indication ( SNI ) extension when initiating a new connection. In many real-world cases this is sufficient. For testing it may be a little cumbersome to expect the server implementation to use SNI, or identify itself with a Subject Alternative Name ( SAN ).




            • Assignee:
              michaelm Michael McMahon
              chegar Chris Hegarty
            • Votes:
              0 Vote for this issue
              2 Start watching this issue


              • Created: