Option to supply custom hostname verifier to HTTP client

Michael McMahon michael.x.mcmahon at oracle.com
Thu Nov 1 18:45:35 UTC 2018

You could also isolate the behavior to a specific SSLContext (and 
therefore HttpClient)
by initializing the SSLContext with a dummy TrustManager (if it's only 
for testing).

- Michael.

On 01/11/2018, 18:09, Anders Wisch wrote:
> Thankfully, all of my uses are for testing. To test hostname-based redirects or integration tests of
> server code under SSL I start short-lived servers that serve self-signed certificates. Test cases
> use HTTP clients that disable hostname verification, connect to a local address and port, and
> sometimes vary the contents of the “Host” header. Since tests can run in parallel to speed up suite
> execution and since other tests require secure hostname verification, it’s useful to be able to
> isolate the behavior.
>> On Nov 1, 2018, at 10:53 AM, Chris Hegarty<chris.hegarty at oracle.com>  wrote:
>> In order to evaluate this request, can you please provide
>> use-cases for such. What “secure” server are you trying
>> to connect to that is unwilling to identify itself in its
>> certificate.
>> -Chris.
>>> On 1 Nov 2018, at 17:48, Anders Wisch<anders at featureshock.com>  wrote:
>>> Hi all,
>>> I think it should be possible to supply a custom javax.net.ssl.HostnameVerifier while building a
>>> java.net.http.HttpClient. While it is possible to disable standard hostname verification via the
>>> system property “jdk.internal.httpclient.disableHostnameVerification”, this doesn’t allow you to
>>> quarantine the behavior to a single HTTP client within the JVM.
>>> Thanks for your consideration,
>>> Anders Wisch

More information about the net-dev mailing list