Hi, Were you able to have a quick look at what I have done to see whether it might be better integrated into OpenJDK? Do you think the use case is valuable to be better handled?
I actually use such mechanisms in production to have a proper view on what are the IP available for a service API. In cloud environments, the underlying IP of a hostname might indeed move on a regular basis. Thank you in advance for your feedback, Best regards, Nicolas Henneaux On Wed, 29 Jul 2020 at 16:53, Nicolas Henneaux <nicolas.henne...@gmail.com> wrote: > Hi Daniel, > > It is needed since the hostname sent in the HTTP client is the IP instead > of the actual hostname to force the usage of a single IP. However, a > specific SSLContext is used to ensure the hostname TLS validation is still > done. > Usage of the IP in the HTTP request > <https://github.com/nhenneaux/resilient-httpclient/blob/master/single-host-httpclient/src/main/java/com/github/nhenneaux/resilienthttpclient/singlehostclient/SingleIpHttpRequest.java#L61> > Check of the hostname during TLS handshake > > > <https://github.com/nhenneaux/resilient-httpclient/blob/master/single-host-httpclient/src/main/java/com/github/nhenneaux/resilienthttpclient/singlehostclient/SingleHostnameX509TrustManager.java#L255> > I hope it is more clear why this property should be disabled in the way > the HTTP client force a single IP. > > Best regards, > > Nicolas > > On Wed, 29 Jul 2020 at 14:31, Daniel Fuchs <daniel.fu...@oracle.com> > wrote: > >> Hi Nicolas, >> >> On 29/07/2020 13:20, Nicolas Henneaux wrote: >> > >> System.setProperty("jdk.internal.httpclient.disableHostnameVerification", >> Boolean.TRUE.toString()); >> > System.setProperty("jdk.httpclient.allowRestrictedHeaders", "host"); >> >> I don't believe it's a good idea to disable/customize >> hostname verification. This property is merely intended for >> test environments - where you might need to pretend that you're >> talking to some other servers... >> >> And it shouldn't be needed if the certificate presented by the >> server contained the proper host names? >> >> best regards, >> >> -- daniel >> >> >>
