Skip to content

HTTPCLIENT-2397 - Enforce TLS-Required routes (opt-in) #777

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
arturobernalg merged 1 commit into from
Jan 10, 2026
Merged

HTTPCLIENT-2397 - Enforce TLS-Required routes (opt-in) #777

arturobernalg merged 1 commit into from
Jan 10, 2026
+352 −1

Conversation

@arturobernalg
Copy link
Member

@arturobernalg arturobernalg commented Jan 8, 2026

Add setTlsOnly(boolean) to classic and async builders to reject cleartext routes.
Install an internal exec interceptor that fails fast when the computed route is not secure.
Includes small sync + async examples in Javadoc.

@arturobernalg arturobernalg requested a review from ok2c January 8, 2026 09:46
@arturobernalg arturobernalg changed the title HTTPCLIENT-2397 - Enforce TLS-only routes (opt-in) HTTPCLIENT-2397 - Enforce TLS-Required routes (opt-in) Jan 8, 2026
@arturobernalg arturobernalg force-pushed the HTTPCLIENT-2397 branch 2 times, most recently from 38c0392 to 7196331 Compare January 8, 2026 13:28
ok2c
ok2c reviewed Jan 10, 2026
View reviewed changes
httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/HttpAsyncClientBuilder.java Outdated
authCachingDisabled),
ChainElement.PROTOCOL.name());

if (this.tlsRequired) {
Copy link
Member

@ok2c ok2c Jan 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@arturobernalg Would not it be better to put this interceptor at the very beginning of the pipeline?

Copy link
Member Author

@arturobernalg arturobernalg Jan 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ok2c fine by me. changed.

@arturobernalg
HTTPCLIENT-2397 - TLS-Required mode: add setTlsOnly(boolean) to class…
cecb1b6 
…ic and async builders to reject cleartext routes.

Fail fast with UnsupportedSchemeException when the computed route is not secure.
@arturobernalg arturobernalg merged commit 68435f2 into apache:master Jan 10, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ok2c ok2c ok2c approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@arturobernalg @ok2c