Is your feature request related to a problem? Please describe.
When using HTTPS request with TLS I also want to validate the hostname of the server. Currently that is only possible with a work around by configuring the underlying apache http client, but not within the Config class. So the current workaround is:
HttpClient httpClient = HttpClients.custom();
.setSSLContext(sslContext);
.setSSLHostnameVerifier(new DefaultHostnameVerifier());
.build();
Unirest.primaryInstance()
.config()
.httpClient(config -> ApacheClient.builder(httpClient).apply(config));
Describe the solution you'd like
If the following option would be available within the config class:
public Config sslHostnameVerifier(javax.net.ssl.HostnameVerifier hostnameVerifier) {
....
}
Than the following would be possible:
Unirest.primaryInstance()
.config()
.sslHostnameVerifier(hostnameVerifier)
.sslContext(sslContext);
Additional context
Hostname validation is an extra security check. Basically what you can do with this option is to automatically validate if the hostname defined in your http request is the same as one of the fields within the subject alternative name within a server certificate, if this check fails the ssl handshake proces will fail. But providing this option gives the possibility for the enduser to ignore these settings or other strategies.
Example with Google:
If I send a request with the following url: https://www.google.com
With the above option the http client would validate if the certificate has google within the san field:
See here the javadoc of je above interface:
https://docs.oracle.com/javase/7/docs/api/javax/net/ssl/HostnameVerifier.html
Alot of libraries provide their own implementation. By supporting the above interface you can enable all kinds of hostname strategies out of the box .
Example of implementations:
or a custom implementation:
HostnameVerifier hostnameVerifier = new HostnameVerifier() {
public boolean verify(String arg0, SSLSession arg1) {
return true; //Trusting all hostnames
}
};
Unirest.primaryInstance()
.config()
.sslHostnameVerifier(hostnameVerifier)
.sslContext(sslContext());
Would be a cool feature to enable extra security for https requests
Is your feature request related to a problem? Please describe.
When using HTTPS request with TLS I also want to validate the hostname of the server. Currently that is only possible with a work around by configuring the underlying apache http client, but not within the Config class. So the current workaround is:
Describe the solution you'd like
If the following option would be available within the config class:
Than the following would be possible:
Additional context
Hostname validation is an extra security check. Basically what you can do with this option is to automatically validate if the hostname defined in your http request is the same as one of the fields within the subject alternative name within a server certificate, if this check fails the ssl handshake proces will fail. But providing this option gives the possibility for the enduser to ignore these settings or other strategies.
Example with Google:
If I send a request with the following url: https://www.google.com
With the above option the http client would validate if the certificate has google within the san field:
See here the javadoc of je above interface:
https://docs.oracle.com/javase/7/docs/api/javax/net/ssl/HostnameVerifier.html
Alot of libraries provide their own implementation. By supporting the above interface you can enable all kinds of hostname strategies out of the box .
Example of implementations:
or a custom implementation:
Would be a cool feature to enable extra security for https requests