Arturo Bernal created HTTPCLIENT-2392:
-----------------------------------------
Summary: Opt-in SPKI public-key pinning TLS decorator
Key: HTTPCLIENT-2392
URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2392
Project: HttpComponents HttpClient
Issue Type: New Feature
Reporter: Arturo Bernal
Add an optional TLS decorator to enforce *SPKI SHA-256 pins* after standard
trust manager and hostname verification. The feature is off by default and
applies to both classic and async clients.
*Class:* {{org.apache.hc.client5.http.ssl.SpkiPinningClientTlsStrategy}}
*Behavior:*
* Matches by exact host or single-label wildcard ({{{}*.example.com{}}}) with
*IDNA + lowercase* canonicalization.
* Accepts multiple pins per host; a match on any certificate in the validated
peer chain passes.
* Stores pins as raw SHA-256 digests for constant-time comparison.
* Keeps PKI and hostname checks intact (calls {{super.verifySession(...)}}
first).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
