Relaxing TLS for java.net.http.HttpClient

Pavel Rappo pavel.rappo at gmail.com
Fri Mar 28 11:49:01 UTC 2025


The use case is talking to a misconfigured intranet endpoint which
cannot be changed. curl, HttpsURLConnection, OkHttp, Apache HttpClient
can all ignore certificate issues. I found this relevant bug in JBS:
https://bugs.openjdk.org/browse/JDK-8213309

-Pavel

On Fri, Mar 28, 2025 at 11:34 AM Michael McMahon
<michael.x.mcmahon at oracle.com> wrote:
>
> Hi Pavel,
>
> What is the use case for this? My memory is that it was a deliberate decision to not
> allow it. HttpsURLConnection (and its related hostname verification mechanism) predates
> the present day ubiquitous use of TLS and https, when misconfigured TLS certificates are
> much less common, not least due to the SAN enhancement.
>
> - Michael
>
> On 27/03/2025 18:20, Pavel Rappo wrote:
>
> Hello,
>
> I would like java.net.http.HttpClient to send a request to an HTTPS
> endpoint whose certificate is invalid and cannot be changed. In
> particular, the certificate's CN is incompatible with the endpoint's
> domain:
>
>     javax.net.ssl.SSLHandshakeException: No subject alternative DNS
> name matching ... found.
>
> From the documentation, it's not obvious how to configure HttpClient
> to skip the hostname check. The
> jdk.internal.httpclient.disableHostnameVerification property seems
> internal and overly broad as it affects _all_ instances of HttpClient.
> What's the official recommendation or better yet code snippet for
> configuring a particular instance of HttpClient?
>
> Thanks,
> -Pavel


More information about the net-dev mailing list