Relaxing TLS for java.net.http.HttpClient
Daniel Fuchs
daniel.fuchs at oracle.com
Thu Mar 27 18:54:25 UTC 2025
Hi Pavel,
I would recommend fixing the certificate.
The only way I know of to disable the verification is to use
jdk.internal.httpclient.disableHostnameVerification, and
that was introduced for test environment only.
I wouldn't recommend using it, except for testing.
If you can't fix the certificate, but it does contain some
host names for which it is valid, you could add these
host names to the SSLParameters supplied to the HttpClient builder.
They will be taken into account when performing the
hostname verification.
best regards,
-- daniel
On 27/03/2025 18:20, Pavel Rappo wrote:
> Hello,
>
> I would like java.net.http.HttpClient to send a request to an HTTPS
> endpoint whose certificate is invalid and cannot be changed. In
> particular, the certificate's CN is incompatible with the endpoint's
> domain:
>
> javax.net.ssl.SSLHandshakeException: No subject alternative DNS
> name matching ... found.
>
> From the documentation, it's not obvious how to configure HttpClient
> to skip the hostname check. The
> jdk.internal.httpclient.disableHostnameVerification property seems
> internal and overly broad as it affects _all_ instances of HttpClient.
> What's the official recommendation or better yet code snippet for
> configuring a particular instance of HttpClient?
>
> Thanks,
> -Pavel
More information about the net-dev
mailing list