Relaxing TLS for java.net.http.HttpClient
Pavel Rappo
pavel.rappo at gmail.com
Thu Mar 27 19:54:20 UTC 2025
Daniel,
The only hostnames I can see that SSLParameters accept are
SNIServerName. As far as I know, SNIs serve a very different purpose.
They are used by the client to tell the server which of the server's
multiple names the client is targeting. Could you maybe provide a
snippet for me to better understand what you meant?
On Thu, Mar 27, 2025 at 6:54 PM Daniel Fuchs <daniel.fuchs at oracle.com> wrote:
>
> Hi Pavel,
>
> I would recommend fixing the certificate.
>
> The only way I know of to disable the verification is to use
> jdk.internal.httpclient.disableHostnameVerification, and
> that was introduced for test environment only.
> I wouldn't recommend using it, except for testing.
>
> If you can't fix the certificate, but it does contain some
> host names for which it is valid, you could add these
> host names to the SSLParameters supplied to the HttpClient builder.
> They will be taken into account when performing the
> hostname verification.
>
> best regards,
>
> -- daniel
>
>
> On 27/03/2025 18:20, Pavel Rappo wrote:
> > Hello,
> >
> > I would like java.net.http.HttpClient to send a request to an HTTPS
> > endpoint whose certificate is invalid and cannot be changed. In
> > particular, the certificate's CN is incompatible with the endpoint's
> > domain:
> >
> > javax.net.ssl.SSLHandshakeException: No subject alternative DNS
> > name matching ... found.
> >
> > From the documentation, it's not obvious how to configure HttpClient
> > to skip the hostname check. The
> > jdk.internal.httpclient.disableHostnameVerification property seems
> > internal and overly broad as it affects _all_ instances of HttpClient.
> > What's the official recommendation or better yet code snippet for
> > configuring a particular instance of HttpClient?
> >
> > Thanks,
> > -Pavel
>
More information about the net-dev
mailing list