[jira] [Created] (HTTPCLIENT-2392) Opt-in SPKI public-key pinning TLS decorator

Arturo Bernal (Jira) Wed, 27 Aug 2025 06:05:05 -0700

Arturo Bernal created HTTPCLIENT-2392:
-----------------------------------------


             Summary: Opt-in SPKI public-key pinning TLS decorator
                 Key: HTTPCLIENT-2392
                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2392
             Project: HttpComponents HttpClient
          Issue Type: New Feature
            Reporter: Arturo Bernal


Add an optional TLS decorator to enforce *SPKI SHA-256 pins* after standard 
trust manager and hostname verification. The feature is off by default and 
applies to both classic and async clients.

*Class:* {{org.apache.hc.client5.http.ssl.SpkiPinningClientTlsStrategy}}
*Behavior:*
 * Matches by exact host or single-label wildcard ({{{}*.example.com{}}}) with 
*IDNA + lowercase* canonicalization.

 * Accepts multiple pins per host; a match on any certificate in the validated 
peer chain passes.

 * Stores pins as raw SHA-256 digests for constant-time comparison.

 * Keeps PKI and hostname checks intact (calls {{super.verifySession(...)}} 
first).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org

[jira] [Created] (HTTPCLIENT-2392) Opt-in SPKI public-key pinning TLS decorator

Reply via email to