Skip to content

Future-proof HTTPS endpoint identification #2104

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 23, 2025
Merged

Future-proof HTTPS endpoint identification #2104

merged 2 commits into from
Aug 23, 2025

Conversation

chrisvest
Copy link
Contributor

Netty 4.2 changes the default for hostname verification for TLS clients, so that it is now enabled by default.

As a result, clients that rely on the default being off will find themselves unable to disable it.

Instead, clients should explicitly configure their desired endpoint identification algorithm in all cases.

Since Netty 4.1.112 we also have a convenient method on the SslContextBuilder for doing this, so we don't need multiple round-trips through SSLParameters.

This PR changes the DefaultSslEngineFactory to make use of this method, so it always configures the endpoint identification algorithm to match the desired setting of AsyncHttpClientConfig..isDisableHttpsEndpointIdentificationAlgorithm().

@chrisvest
Future-proof HTTPS endpoint identification
fe30b0d 
Netty 4.2 changes the default for hostname verification for TLS clients, so that it is now enabled by default.

As a result, clients that rely on the default being _off_ will find themselves unable to disable it.

Instead, clients should explicitly configure their desired endpoint identification algorithm in all cases.

Since Netty 4.1.112 we also have a convenient method on the `SslContextBuilder` for doing this, so we don't need multiple round-trips through `SSLParameters`.

This PR changes the `DefaultSslEngineFactory` to make use of this method, so it always configures the endpoint identification algorithm to match the desired setting of `AsyncHttpClientConfig..isDisableHttpsEndpointIdentificationAlgorithm()`.
@chrisvest
Copy link
Contributor Author

FYI @slandelle @sullis @hyperxpro

sullis
sullis approved these changes Aug 20, 2025
View reviewed changes
Copy link
Contributor

@sullis sullis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@chrisvest
Copy link
Contributor Author

@hyperxpro I don't have the merge button, so feel free to merge any time.

@hyperxpro hyperxpro merged commit d2c780d into AsyncHttpClient:main Aug 23, 2025
3 checks passed
@hyperxpro
Copy link
Member

Thanks @chrisvest

@chrisvest chrisvest deleted the endpoint-validation branch August 23, 2025 14:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hyperxpro hyperxpro hyperxpro approved these changes

+1 more reviewer

@sullis sullis sullis approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@chrisvest @hyperxpro @sullis