From fe30b0db3ff69b523e32673c2d1ed0079f741294 Mon Sep 17 00:00:00 2001 From: Chris Vest Date: Thu, 7 Aug 2025 16:36:44 -0700 Subject: [PATCH] Future-proof HTTPS endpoint identification Netty 4.2 changes the default for hostname verification for TLS clients, so that it is now enabled by default. As a result, clients that rely on the default being _off_ will find themselves unable to disable it. Instead, clients should explicitly configure their desired endpoint identification algorithm in all cases. Since Netty 4.1.112 we also have a convenient method on the `SslContextBuilder` for doing this, so we don't need multiple round-trips through `SSLParameters`. This PR changes the `DefaultSslEngineFactory` to make use of this method, so it always configures the endpoint identification algorithm to match the desired setting of `AsyncHttpClientConfig..isDisableHttpsEndpointIdentificationAlgorithm()`. --- .../asynchttpclient/netty/ssl/DefaultSslEngineFactory.java | 3 +++ .../org/asynchttpclient/netty/ssl/SslEngineFactoryBase.java | 6 ------ 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/client/src/main/java/org/asynchttpclient/netty/ssl/DefaultSslEngineFactory.java b/client/src/main/java/org/asynchttpclient/netty/ssl/DefaultSslEngineFactory.java index a96f6ffb1..323b75d5d 100644 --- a/client/src/main/java/org/asynchttpclient/netty/ssl/DefaultSslEngineFactory.java +++ b/client/src/main/java/org/asynchttpclient/netty/ssl/DefaultSslEngineFactory.java @@ -58,6 +58,9 @@ private SslContext buildSslContext(AsyncHttpClientConfig config) throws SSLExcep sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE); } + sslContextBuilder.endpointIdentificationAlgorithm( + config.isDisableHttpsEndpointIdentificationAlgorithm() ? "" : "HTTPS"); + return configureSslContextBuilder(sslContextBuilder).build(); } diff --git a/client/src/main/java/org/asynchttpclient/netty/ssl/SslEngineFactoryBase.java b/client/src/main/java/org/asynchttpclient/netty/ssl/SslEngineFactoryBase.java index 2d6e5f5ef..7e55ac4de 100644 --- a/client/src/main/java/org/asynchttpclient/netty/ssl/SslEngineFactoryBase.java +++ b/client/src/main/java/org/asynchttpclient/netty/ssl/SslEngineFactoryBase.java @@ -19,7 +19,6 @@ import org.asynchttpclient.SslEngineFactory; import javax.net.ssl.SSLEngine; -import javax.net.ssl.SSLParameters; public abstract class SslEngineFactoryBase implements SslEngineFactory { @@ -30,10 +29,5 @@ protected String domain(String hostname) { protected void configureSslEngine(SSLEngine sslEngine, AsyncHttpClientConfig config) { sslEngine.setUseClientMode(true); - if (!config.isDisableHttpsEndpointIdentificationAlgorithm()) { - SSLParameters params = sslEngine.getSSLParameters(); - params.setEndpointIdentificationAlgorithm("HTTPS"); - sslEngine.setSSLParameters(params); - } } }