[jira] [Commented] (HTTPCLIENT-1903) DefaultHostnameVerifier crashes on Android due to inexistent javax.naming classes

Thu, 08 Feb 2018 01:12:24 -0800 

    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-1903?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16356696#comment-16356696
 ] 

Oleg Kalnichevski commented on HTTPCLIENT-1903:
-----------------------------------------------

@[~garydgregory] I have removed dependency on {{javax.naming}} in 5.x as 
[~bindul] has correctly pointed out above. Ideally we should be consistent. I 
would prefer the fix from 5.x be ported to 4.6.x. I also think we _really_ 
ought not add major security related changes to stable branches. 
Your solution would not help Android users in all cases. If I understand it 
correctly it would default to a noop implementation on Android platform, which 
may not be good enough for certificates without {{SubjectAltNames}}.
Oleg

> DefaultHostnameVerifier crashes on Android due to inexistent javax.naming 
> classes
> ---------------------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1903
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1903
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>    Affects Versions: 4.5.5
>            Reporter: Michael Pujos
>            Priority: Minor
>
> I'm using HttpClient on Android, repackaged to avoid conficting with the 
> platform's org.apache old packages.
> It works fine, except that making any https request will crash using the 
> defaults.
> The reason is that DefaultHostnameVerifier uses javax.naming.* classes, which 
> are not present on Android.
> So to be able to make https request, the default hostname verifier must be 
> replaced. For example:
>  
> httpClient = HttpClients.custom()
>                 .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE)
>                 .build();
>  
> Using NoopHostnameVerifier is rarely a good idea, so for the time being I 
> have replaced it with and older version of BrowserCompatHostnameVerifier that 
> doesn't internally call DefaultHostnameVerifier.
>  
> Ideally, I'd like DefaultHostnameVerifier to detect dynamically if 
> javax.naming.* classes are available, and switch to an alternate method not 
> using them if they are not. That way, HttpClient would work out of the box 
> for Android users.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to