All Versions
Latest Version
Avg Release Cycle
18 days
Latest Release

Changelog History
Page 7

  • v3.7.0 Changes


    • OkHttp no longer recovers from TLS handshake failures by attempting a TLSv1 connection. The fallback was necessary for servers that implemented version negotiation incorrectly. Now that 99.99% of servers do it right this fallback is obsolete.
    • Fix: Do not honor cookies set on a public domain. Previously a malicious site could inject cookies on top-level domains like because our cookie parser didn't honor the [public suffix][public_suffix] list. Alongside this fix is a new API, HttpUrl.topPrivateDomain(), which returns the privately domain name if the URL has one.
    • Fix: Change MediaType.charset() to return null for unexpected charsets.
    • Fix: Don't skip cache invalidation if the invalidating response has no body.
    • Fix: Don't use a cryptographic random number generator for web sockets. Some Android devices implement SecureRandom incorrectly!
    • Fix: Correctly canonicalize IPv6 addresses in HttpUrl. This prevented OkHttp from trusting HTTPS certificates issued to certain IPv6 addresses.
    • Fix: Don't reuse connections after an unsuccessful Expect: 100-continue.
    • Fix: Handle either TLS_ or SSL_ prefixes for cipher suite names. This is necessary for IBM JVMs that use the SSL_ prefix exclusively.
    • Fix: Reject HTTP/2 data frames if the stream ID is 0.
    • New: Upgrade to Okio 1.12.0.

    • New: Connection coalescing. OkHttp may reuse HTTP/2 connections across calls that share an IP address and HTTPS certificate, even if their domain names are different.

    • New: MockWebServer's RecordedRequest exposes the requested HttpUrl with getRequestUrl().

  • v3.6.0 Changes


    • Fix: Don't crash with a "cache is closed" error when there is an error initializing the cache.
    • Fix: Calling disconnect() on a connecting HttpUrlConnection could cause it to retry in an infinite loop! This regression was introduced in OkHttp 2.7.0.
    • Fix: Drop cookies that contain ASCII NULL and other bad characters. Previously such cookies would cause OkHttp to crash when they were included in a request.
    • Fix: Release duplicated multiplexed connections. If we concurrently establish connections to an HTTP/2 server, close all but the first connection.
    • Fix: Fail the HTTP/2 connection if first frame isn't SETTINGS.
    • Fix: Forbid spaces in header names.
    • Fix: Don't offer to do gzip if the request is partial.
    • Fix: MockWebServer is now usable with JUnit 5. That update [broke the rules][junit_5_rules].
    • New: Support Expect: 100-continue as a request header. Callers can use this header to pessimistically hold off on transmitting a request body until a server gives the go-ahead.
    • New: Permit network interceptors to rewrite the host header for HTTP/2. This makes it possible to do domain fronting.
    • New: charset support for Credentials.basic().
  • v3.5.0 Changes


    • Web Sockets are now a stable feature of OkHttp. Since being introduced as a beta feature in OkHttp 2.3 our web socket client has matured. Connect to a server's web socket with OkHttpClient.newWebSocket(), send messages with send(), and receive messages with the WebSocketListener.

      The okhttp-ws submodule is no longer available and okhttp-ws artifacts from previous releases of OkHttp are not compatible with OkHttp 3.5. When upgrading to the new package please note that the WebSocket and WebSocketCall classes have been merged. Sending messages is now asynchronous and they may be enqueued before the web socket is connected.

    • OkHttp no longer attempts a direct connection if the system's HTTP proxy fails. This behavior was surprising because OkHttp was disregarding the user's specified configuration. If you need to customize proxy fallback behavior, implement your own

    • Fix: Support TLSv1.3 on devices that support it.

    • Fix: Share pooled connections across equivalent OkHttpClient instances. Previous releases had a bug where a shared connection pool did not guarantee shared connections in some cases.

    • Fix: Prefer the server's response body on all conditional cache misses. Previously we would return the cached response's body if it had a newer Last-Modified date.

    • Fix: Update the stored timestamp on conditional cache hits.

    • New: Optimized HTTP/2 request header encoding. More headers are HPACK-encoded and string literals are now Huffman-encoded.

    • New: Expose Part headers and body in Multipart.

    • New: Make ResponseBody.string() and ResponseBody.charStream() BOM-aware. If your HTTP response body begins with a [byte order mark][bom] it will be consumed and used to select a charset for the remaining bytes. Most applications should not need a byte order mark.

    • New: Upgrade to Okio 1.11.0.

    • Fix: Avoid sending empty HTTP/2 data frames when there is no request body.

    • Fix: Add a leading . for better domain matching in JavaNetCookieJar.

    • Fix: Gracefully recover from HTTP/2 connection shutdowns at start of request.

    • Fix: Be lenient if a MediaType's character set is 'single-quoted'.

    • Fix: Allow horizontal tab characters in header values.

    • Fix: When parsing HTTP authentication headers permit challenge parameters in any order.

  • v3.4.2 Changes


    • Fix: Recover gracefully when an HTTP/2 connection is shutdown. We had a bug where shutdown HTTP/2 connections were considered usable. This caused infinite loops when calls attempted to recover.
  • v3.4.1 Changes


    • Fix a major bug in encoding HTTP headers. In 3.4.0 and 3.4.0-RC1 OkHttp had an off-by-one bug in our HPACK encoder. This bug could have caused the wrong headers to be emitted after a sequence of HTTP/2 requests! Everyone who is using OkHttp 3.4.0 or 3.4.0-RC1 should upgrade for this bug fix.
  • v3.4.0 Changes


    • New: Support dynamic table size changes to HPACK Encoder.
    • Fix: Use TreeMap in Headers.toMultimap(). This makes string lookups on the returned map case-insensitive.
    • Fix: Don't share the OkHttpClient's Dispatcher in HttpURLConnection.
  • v3.4.0-RC1 Changes


    • We’ve rewritten HttpURLConnection and HttpsURLConnection. Previously we shared a single HTTP engine between two frontend APIs: HttpURLConnection and Call. With this release we’ve rearranged things so that the HttpURLConnection frontend now delegates to the Call APIs internally. This has enabled substantial simplifications and optimizations in the OkHttp core for both frontends.

      For most HTTP requests the consequences of this change will be negligible. If your application uses HttpURLConnection.connect(), setFixedLengthStreamingMode(), or setChunkedStreamingMode(), OkHttp will now use a async dispatcher thread to establish the HTTP connection.

      We don’t expect this change to have any behavior or performance consequences. Regardless, please exercise your OkUrlFactory and HttpURLConnection code when applying this update.

    • Cipher suites may now have arbitrary names. Previously CipherSuite was a Java enum and it was impossible to define new cipher suites without first upgrading OkHttp. With this change it is now a regular Java class with enum-like constants. Application code that uses enum methods on cipher suites (ordinal(), name(), etc.) will break with this change.

    • Fix: CertificatePinner now matches canonicalized hostnames. Previously this was case sensitive. This change should also make it easier to configure certificate pinning for internationalized domain names.

    • Fix: Don’t crash on non-ASCII ETag headers. Previously OkHttp would reject these headers when validating a cached response.

    • Fix: Don’t allow remote peer to arbitrarily size the HPACK decoder dynamic table.

    • Fix: Honor per-host configuration in Android’s network security config. Previously disabling cleartext for any host would disable cleartext for all hosts. Note that this setting is only available on Android 24+.

    • New: HPACK compression is now dynamic. This should improve performance when transmitting request headers over HTTP/2.

    • New: Dispatcher.setIdleCallback() can be used to signal when there are no calls in flight. This is useful for [testing with Espresso][okhttp_idling_resource].

    • New: Upgrade to Okio 1.9.0.

  • v3.3.1 Changes


    • Fix: The plaintext check in HttpLoggingInterceptor incorrectly classified newline characters as control characters. This is fixed.
    • Fix: Don't crash reading non-ASCII characters in HTTP/2 headers or in cached HTTP headers.
    • Fix: Retain the response body when an attempt to open a web socket returns a non-101 response code.
  • v3.3.0 Changes


    • New: Response.sentRequestAtMillis() and receivedResponseAtMillis() methods track the system's local time when network calls are made. These replace the OkHttp-Sent-Millis and OkHttp-Received-Millis headers that were present in earlier versions of OkHttp.
    • New: Accept user-provided trust managers in OkHttpClient.Builder. This allows OkHttp to satisfy its TLS requirements directly. Otherwise OkHttp will use reflection to extract the TrustManager from the SSLSocketFactory.
    • New: Support prerelease Java 9. This gets ALPN from the platform rather than relying on the alpn-boot bootclasspath override.
    • New: HttpLoggingInterceptor now logs connection failures.
    • New: Upgrade to Okio 1.8.0.

    • Fix: Gracefully recover from a failure to rebuild the cache journal.

    • Fix: Don't corrupt cache entries when a cache entry is evicted while it is being updated.

    • Fix: Make logging more consistent throughout OkHttp.

    • Fix: Log plaintext bodies only. This uses simple heuristics to differentiate text from other data.

    • Fix: Recover from REFUSED_STREAM errors in HTTP/2. This should improve interoperability with Nginx 1.10.0, which [refuses][nginx_959] streams created before HTTP/2 settings have been acknowledged.

    • Fix: Improve recovery from failed routes.

    • Fix: Accommodate tunneling proxies that close the connection after an auth challenge.

    • Fix: Use the proxy authenticator when authenticating HTTP proxies. This regression was introduced in OkHttp 3.0.

    • Fix: Fail fast if network interceptors transform the response body such that closing it doesn't also close the underlying stream. We had a bug where OkHttp would attempt to reuse a connection but couldn't because it was still held by a prior request.

    • Fix: Ensure network interceptors always have access to the underlying connection.

    • Fix: Use X509TrustManagerExtensions on Android 17+.

    • Fix: Unblock waiting dispatchers on MockWebServer shutdown.

  • v3.2.0 Changes


    • Fix: Change the certificate pinner to always build full chains. This prevents a potential crash when using certificate pinning with the Google Play Services security provider.
    • Fix: Make IPv6 request lines consistent with Firefox and Chrome.
    • Fix: Recover gracefully when trimming the response cache fails.
    • New: Add multiple path segments using a single string in HttpUrl.Builder.
    • New: Support SHA-256 pins in certificate pinner.