[java.net.http.HttpClient] Active monitoring of resolved IP addresses
Nicolas Henneaux
nicolas.henneaux at gmail.com
Wed Jul 29 14:53:56 UTC 2020
Hi Daniel,
It is needed since the hostname sent in the HTTP client is the IP instead
of the actual hostname to force the usage of a single IP. However, a
specific SSLContext is used to ensure the hostname TLS validation is still
done.
Usage of the IP in the HTTP request
<https://github.com/nhenneaux/resilient-httpclient/blob/master/single-host-httpclient/src/main/java/com/github/nhenneaux/resilienthttpclient/singlehostclient/SingleIpHttpRequest.java#L61>
Check of the hostname during TLS handshake
<https://github.com/nhenneaux/resilient-httpclient/blob/master/single-host-httpclient/src/main/java/com/github/nhenneaux/resilienthttpclient/singlehostclient/SingleHostnameX509TrustManager.java#L255>
I hope it is more clear why this property should be disabled in the way the
HTTP client force a single IP.
Best regards,
Nicolas
On Wed, 29 Jul 2020 at 14:31, Daniel Fuchs <daniel.fuchs at oracle.com> wrote:
> Hi Nicolas,
>
> On 29/07/2020 13:20, Nicolas Henneaux wrote:
> >
> System.setProperty("jdk.internal.httpclient.disableHostnameVerification",
> Boolean.TRUE.toString());
> > System.setProperty("jdk.httpclient.allowRestrictedHeaders", "host");
>
> I don't believe it's a good idea to disable/customize
> hostname verification. This property is merely intended for
> test environments - where you might need to pretend that you're
> talking to some other servers...
>
> And it shouldn't be needed if the certificate presented by the
> server contained the proper host names?
>
> best regards,
>
> -- daniel
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.java.net/pipermail/net-dev/attachments/20200729/7efcf234/attachment-0001.htm>
More information about the net-dev
mailing list