Hi Daniel, It is needed since the hostname sent in the HTTP client is the IP instead of the actual hostname to force the usage of a single IP. However, a specific SSLContext is used to ensure the hostname TLS validation is still done. Usage of the IP in the HTTP request <https://github.com/nhenneaux/resilient-httpclient/blob/master/single-host-httpclient/src/main/java/com/github/nhenneaux/resilienthttpclient/singlehostclient/SingleIpHttpRequest.java#L61> Check of the hostname during TLS handshake
<https://github.com/nhenneaux/resilient-httpclient/blob/master/single-host-httpclient/src/main/java/com/github/nhenneaux/resilienthttpclient/singlehostclient/SingleHostnameX509TrustManager.java#L255> I hope it is more clear why this property should be disabled in the way the HTTP client force a single IP. Best regards, Nicolas On Wed, 29 Jul 2020 at 14:31, Daniel Fuchs <daniel.fu...@oracle.com> wrote: > Hi Nicolas, > > On 29/07/2020 13:20, Nicolas Henneaux wrote: > > > System.setProperty("jdk.internal.httpclient.disableHostnameVerification", > Boolean.TRUE.toString()); > > System.setProperty("jdk.httpclient.allowRestrictedHeaders", "host"); > > I don't believe it's a good idea to disable/customize > hostname verification. This property is merely intended for > test environments - where you might need to pretend that you're > talking to some other servers... > > And it shouldn't be needed if the certificate presented by the > server contained the proper host names? > > best regards, > > -- daniel > > >
