Future-proof HTTPS endpoint identification (#2104)

chrisvest · web-flow · commit d2c780da34ef · 2025-08-23T08:55:34.000+05:30
Netty 4.2 changes the default for hostname verification for TLS clients,
so that it is now enabled by default.

As a result, clients that rely on the default being _off_ will find
themselves unable to disable it.

Instead, clients should explicitly configure their desired endpoint
identification algorithm in all cases.

Since Netty 4.1.112 we also have a convenient method on the
`SslContextBuilder` for doing this, so we don't need multiple
round-trips through `SSLParameters`.

This PR changes the `DefaultSslEngineFactory` to make use of this
method, so it always configures the endpoint identification algorithm to
match the desired setting of
`AsyncHttpClientConfig..isDisableHttpsEndpointIdentificationAlgorithm()`.
diff --git a/client/src/main/java/org/asynchttpclient/netty/ssl/DefaultSslEngineFactory.java b/client/src/main/java/org/asynchttpclient/netty/ssl/DefaultSslEngineFactory.java
@@ -58,6 +58,9 @@ private SslContext buildSslContext(AsyncHttpClientConfig config) throws SSLExcep
             sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE);
         }
 
+        sslContextBuilder.endpointIdentificationAlgorithm(
+                config.isDisableHttpsEndpointIdentificationAlgorithm() ? "" : "HTTPS");
+
         return configureSslContextBuilder(sslContextBuilder).build();
     }
 
diff --git a/client/src/main/java/org/asynchttpclient/netty/ssl/SslEngineFactoryBase.java b/client/src/main/java/org/asynchttpclient/netty/ssl/SslEngineFactoryBase.java
@@ -19,7 +19,6 @@
 import org.asynchttpclient.SslEngineFactory;
 
 import javax.net.ssl.SSLEngine;
-import javax.net.ssl.SSLParameters;
 
 public abstract class SslEngineFactoryBase implements SslEngineFactory {
 
@@ -30,10 +29,5 @@ protected String domain(String hostname) {
 
     protected void configureSslEngine(SSLEngine sslEngine, AsyncHttpClientConfig config) {
         sslEngine.setUseClientMode(true);
-        if (!config.isDisableHttpsEndpointIdentificationAlgorithm()) {
-            SSLParameters params = sslEngine.getSSLParameters();
-            params.setEndpointIdentificationAlgorithm("HTTPS");
-            sslEngine.setSSLParameters(params);
-        }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -58,6 +58,9 @@ private SslContext buildSslContext(AsyncHttpClientConfig config) throws SSLExcep`
`58`	`58`	`sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE);`
`59`	`59`	`}`
`60`	`60`
	`61`	`+ sslContextBuilder.endpointIdentificationAlgorithm(`
	`62`	`+ config.isDisableHttpsEndpointIdentificationAlgorithm() ? "" : "HTTPS");`
	`63`	`+`
`61`	`64`	`return configureSslContextBuilder(sslContextBuilder).build();`
`62`	`65`	`}`
`63`	`66`
Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,6 @@`
`19`	`19`	`import org.asynchttpclient.SslEngineFactory;`
`20`	`20`
`21`	`21`	`import javax.net.ssl.SSLEngine;`
`22`		`-import javax.net.ssl.SSLParameters;`
`23`	`22`
`24`	`23`	`public abstract class SslEngineFactoryBase implements SslEngineFactory {`
`25`	`24`
`@@ -30,10 +29,5 @@ protected String domain(String hostname) {`
`30`	`29`
`31`	`30`	`protected void configureSslEngine(SSLEngine sslEngine, AsyncHttpClientConfig config) {`
`32`	`31`	`sslEngine.setUseClientMode(true);`
`33`		`- if (!config.isDisableHttpsEndpointIdentificationAlgorithm()) {`
`34`		`- SSLParameters params = sslEngine.getSSLParameters();`
`35`		`- params.setEndpointIdentificationAlgorithm("HTTPS");`
`36`		`- sslEngine.setSSLParameters(params);`
`37`		`- }`
`38`	`32`	`}`
`39`	`33`	`}`