[
https://issues.apache.org/jira/browse/HTTPCLIENT-2392?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Arturo Bernal resolved HTTPCLIENT-2392.
---------------------------------------
Fix Version/s: 5.6-alpha1
Resolution: Fixed
> Opt-in SPKI public-key pinning TLS decorator
> --------------------------------------------
>
> Key: HTTPCLIENT-2392
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2392
> Project: HttpComponents HttpClient
> Issue Type: New Feature
> Reporter: Arturo Bernal
> Assignee: Arturo Bernal
> Priority: Major
> Fix For: 5.6-alpha1
>
>
> Add an optional TLS decorator to enforce *SPKI SHA-256 pins* after standard
> trust manager and hostname verification. The feature is off by default and
> applies to both classic and async clients.
> *Class:* {{org.apache.hc.client5.http.ssl.SpkiPinningClientTlsStrategy}}
> *Behavior:*
> * Matches by exact host or single-label wildcard ({{{}*.example.com{}}})
> with *IDNA + lowercase* canonicalization.
> * Accepts multiple pins per host; a match on any certificate in the
> validated peer chain passes.
> * Stores pins as raw SHA-256 digests for constant-time comparison.
> * Keeps PKI and hostname checks intact (calls {{super.verifySession(...)}}
> first).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
