On Aug 14, 2012, at 8:49 PM, Michael McMahon <michael.x.mcma...@oracle.com> wrote:
> Xuelei, > > We have no particular requirement on HostnameVerifier. So, > if I understood you correctly, HostnameVerifier is redundant in new APIs > and it is possible to control hostname verification through the SSLParameters > class > (and an X509ExtendedTrustManager). > > So, we can drop HostnameVerifier from our API. Is that correct? > Yes. Xuelei > Thanks > Michael > > On 08/08/12 13:10, Xuelei Fan wrote: >> From JDK 7, JSSE introduces a new hostname verifying approach. It is >> call "endpoint identification" in JSSE context. It can be used to >> replace the HostnameVerifier on SSLSession. A typical user case looks like: >> >> 1. implement a X509ExtendedTrustManager. It is required to check the >> endpoint identification in the following methods: >> checkClientTrusted(X509Certificate[], String, Socket) >> checkClientTrusted(X509Certificate[], String, SSLEngine) >> checkServerTrusted(X509Certificate[], String, Socket) >> checkServerTrusted(X509Certificate[], String, SSLEngine) >> >> 2. initialize a SSLParameters to enable the endpoint identification: >> sslParameter.setEndpointIdentificationAlgorithm("https"); >> >> 3. set the SSLParameters to SSLSocket or SSLEngine, the instance of >> X509ExtendedTrustManager will check the endpoint (hostname) during >> handshaking. >> >> Considering the java.net.httpclient.HttpsConfigurator, it is an >> implementation of HostnameVerifier. So it would support both >> HostnameVerifier and the above endpoint identification. I think as may >> be redundant if no compatibility concerns. I was wondering maybe it is >> OK to detach the HostnameVerifier interface and remove the verify() method. >> >> Maybe, you have other concerns that the HttpsConfigurator.verify() >> method is really needed. >> >> Thanks, >> Xuelei >> >> On 8/8/2012 7:09 AM, Michael McMahon wrote: >>> Hi, >>> >>> A new revision of the Http client API planned for jdk 8 can be viewed >>> at the following link >>> >>> http://cr.openjdk.java.net/~michaelm/httpclient/v0.3/ >>> >>> We would like to review the api on this mailing list. >>> So, all comments are welcome. >>> >>> Thanks >>> Michael McMahon. >