Relaxing TLS for java.net.http.HttpClient
Michael McMahon
michael.x.mcmahon at oracle.com
Fri Mar 28 11:34:43 UTC 2025
Hi Pavel,
What is the use case for this? My memory is that it was a deliberate
decision to not
allow it. HttpsURLConnection (and its related hostname verification
mechanism) predates
the present day ubiquitous use of TLS and https, when misconfigured TLS
certificates are
much less common, not least due to the SAN enhancement.
- Michael
On 27/03/2025 18:20, Pavel Rappo wrote:
> Hello,
>
> I would like java.net.http.HttpClient to send a request to an HTTPS
> endpoint whose certificate is invalid and cannot be changed. In
> particular, the certificate's CN is incompatible with the endpoint's
> domain:
>
> javax.net.ssl.SSLHandshakeException: No subject alternative DNS
> name matching ... found.
>
> From the documentation, it's not obvious how to configure HttpClient
> to skip the hostname check. The
> jdk.internal.httpclient.disableHostnameVerification property seems
> internal and overly broad as it affects _all_ instances of HttpClient.
> What's the official recommendation or better yet code snippet for
> configuring a particular instance of HttpClient?
>
> Thanks,
> -Pavel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/net-dev/attachments/20250328/6946aa04/attachment.htm>
More information about the net-dev
mailing list