[java.net.http.HttpClient] Active monitoring of resolved IP addresses

Nicolas Henneaux nicolas.henneaux at gmail.com
Thu Aug 13 10:51:42 UTC 2020 

Hi,

Were you able to have a quick look at what I have done to see whether it
might be better integrated into OpenJDK? Do you think the use case is
valuable to be better handled?

I actually use such mechanisms in production to have a proper view on what
are the IP available for a service API. In cloud environments, the
underlying IP of a hostname might indeed move on a regular basis.

Thank you in advance for your feedback,

Best regards,

Nicolas Henneaux

On Wed, 29 Jul 2020 at 16:53, Nicolas Henneaux <nicolas.henneaux at gmail.com>
wrote:

> Hi Daniel,
>
> It is needed since the hostname sent in the HTTP client is the IP instead
> of the actual hostname to force the usage of a single IP. However, a
> specific SSLContext is used to ensure the hostname TLS validation is still
> done.
> Usage of the IP in the HTTP request
> <https://github.com/nhenneaux/resilient-httpclient/blob/master/single-host-httpclient/src/main/java/com/github/nhenneaux/resilienthttpclient/singlehostclient/SingleIpHttpRequest.java#L61>
> Check of the hostname during TLS handshake
>
>
> <https://github.com/nhenneaux/resilient-httpclient/blob/master/single-host-httpclient/src/main/java/com/github/nhenneaux/resilienthttpclient/singlehostclient/SingleHostnameX509TrustManager.java#L255>
> I hope it is more clear why this property should be disabled in the way
> the HTTP client force a single IP.
>
> Best regards,
>
> Nicolas
>
> On Wed, 29 Jul 2020 at 14:31, Daniel Fuchs <daniel.fuchs at oracle.com>
> wrote:
>
>> Hi Nicolas,
>>
>> On 29/07/2020 13:20, Nicolas Henneaux wrote:
>> >
>> System.setProperty("jdk.internal.httpclient.disableHostnameVerification",
>> Boolean.TRUE.toString());
>> > System.setProperty("jdk.httpclient.allowRestrictedHeaders", "host");
>>
>> I don't believe it's a good idea to disable/customize
>> hostname verification. This property is merely intended for
>> test environments - where you might need to pretend that you're
>> talking to some other servers...
>>
>> And it shouldn't be needed if the certificate presented by the
>> server contained the proper host names?
>>
>> best regards,
>>
>> -- daniel
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.java.net/pipermail/net-dev/attachments/20200813/4f7ce63a/attachment.htm>

More information about the net-dev mailing list