Changelog History
Page 10
-
v2.7.1 Changes
2016-01-01
- Fix: Don't do a health check on newly-created connections. This is unnecessary work that could put the client in an inconsistent state if the health check fails.
-
v2.7.0 Changes
2015-12-13
- Rewritten connection management. Previously OkHttp's connection pool
managed both idle and active connections for HTTP/2, but only idle
connections for HTTP/1.x. With this update the connection pool manages both
idle and active connections for everything. OkHttp now detects and warns on
connections that were allocated but never released, and will enforce HTTP/2
stream limits. This update also fixes
Call.cancel()
to not do I/O on the calling thread. - Fix: Don't log gzipped data in the logging interceptor.
- Fix: Don't resolve DNS addresses when connecting through a SOCKS proxy.
- Fix: Drop the synthetic
OkHttp-Selected-Protocol
response header. - Fix: Support 204 and 205 'No Content' replies in the logging interceptor.
- New: Add
Call.isExecuted()
.
- Rewritten connection management. Previously OkHttp's connection pool
managed both idle and active connections for HTTP/2, but only idle
connections for HTTP/1.x. With this update the connection pool manages both
idle and active connections for everything. OkHttp now detects and warns on
connections that were allocated but never released, and will enforce HTTP/2
stream limits. This update also fixes
-
v2.6.0 Changes
2015-11-22
New Logging Interceptor. The
logging-interceptor
subproject offers simple request and response logging. It may be configured to log headers and bodies for debugging. It requires this Maven dependency:<dependency> <groupId>com.squareup.okhttp</groupId> <artifactId>logging-interceptor</artifactId> <version>2.6.0</version> </dependency>
Configure basic logging like this:
HttpLoggingInterceptor loggingInterceptor = new HttpLoggingInterceptor(); loggingInterceptor.setLevel(HttpLoggingInterceptor.Level.BASIC); client.networkInterceptors().add(loggingInterceptor);
Warning: Avoid
Level.HEADERS
andLevel.BODY
in production because they could leak passwords and other authentication credentials to insecure logs.WebSocket API now uses
RequestBody
andResponseBody
for messages. This is a backwards-incompatible API change.The DNS service is now pluggable. In some situations this may be useful to manually prioritize specific IP addresses.
Fix: Don't throw when converting an
HttpUrl
to ajava.net.URI
. Previously URLs with special characters like|
and[
would break when subjected to URI’s overly-strict validation.Fix: Don't re-encode
+
as%20
in encoded URL query strings. OkHttp prefers%20
when doing its own encoding, but will retain+
when that is provided.Fix: Enforce that callers call
WebSocket.close()
on IO errors. Error handling in WebSockets is significantly improved.Fix: Don't use SPDY/3 style header concatenation for HTTP/2 request headers. This could have corrupted requests where multiple headers had the same name, as in cookies.
Fix: Reject bad characters in the URL hostname. Previously characters like
\0
would cause a late crash when building the request.Fix: Allow interceptors to change the request method.
Fix: Don’t use the request's
User-Agent
orProxy-Authorization
when connecting to an HTTPS server via an HTTP tunnel. TheProxy-Authorization
header was being leaked to the origin server.Fix: Digits may be used in a URL scheme.
Fix: Improve connection timeout recovery.
Fix: Recover from
getsockname
crashes impacting Android releases prior to 4.2.2.Fix: Drop partial support for HTTP/1.0. Previously OkHttp would send
HTTP/1.0
on connections after seeing a response withHTTP/1.0
. The fixed behavior is consistent with Firefox and Chrome.Fix: Allow a body in
OPTIONS
requests.Fix: Don't percent-encode non-ASCII characters in URL fragments.
Fix: Handle null fragments.
Fix: Don’t crash on interceptors that throw
IOException
before a connection is attempted.New: Support [WebDAV][webdav] HTTP methods.
New: Buffer WebSocket frames for better performance.
New: Drop support for
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
, our only remaining DSS cipher suite. This is consistent with Firefox and Chrome which have also dropped these cipher suite.
-
v2.5.0 Changes
2015-08-25
Timeouts now default to 10 seconds. Previously we defaulted to never timing out, and that was a lousy policy. If establishing a connection, reading the next byte from a connection, or writing the next byte to a connection takes more than 10 seconds to complete, you’ll need to adjust the timeouts manually.
OkHttp now rejects request headers that contain invalid characters. This includes potential security problems (newline characters) as well as simple non-ASCII characters (including international characters and emoji).
Call canceling is more reliable. We had a bug where a socket being connected wasn't being closed when the application used
Call.cancel()
.Changing a HttpUrl’s scheme now tracks the default port. We had a bug where changing a URL from
http
tohttps
would leave it on port 80.Okio has been updated to 1.6.0.
<dependency> <groupId>com.squareup.okio</groupId> <artifactId>okio</artifactId> <version>1.6.0</version> </dependency>
New:
Cache.initialize()
. Call this on a background thread to eagerly initialize the response cache.New: Fold
MockWebServerRule
intoMockWebServer
. This makes it easier to write JUnit tests withMockWebServer
. TheMockWebServer
library now depends on JUnit, though it continues to work with all testing frameworks.Fix:
FormEncodingBuilder
is now consistent with browsers in which characters it escapes. Previously we weren’t percent-encoding commas, parens, and other characters.Fix: Relax
FormEncodingBuilder
to support building empty forms.Fix: Timeouts throw
SocketTimeoutException
, notInterruptedIOException
.Fix: Change
MockWebServer
to use the same logic as OkHttp when determining whether an HTTP request permits a body.Fix:
HttpUrl
now uses the canonical form for IPv6 addresses.Fix: Use
HttpUrl
internally.Fix: Recover from Android 4.2.2 EBADF crashes.
Fix: Don't crash with an
IllegalStateException
if an HTTP/2 or SPDY write fails, leaving the connection in an inconsistent state.Fix: Make sure the default user agent is ASCII.
-
v2.4.0 Changes
2015-05-22
Forbid response bodies on HTTP 204 and 205 responses. Webservers that return such malformed responses will now trigger a
ProtocolException
in the client.WebSocketListener has incompatible changes. The
onOpen()
method is now called on the reader thread, so implementations must return before further websocket messages will be delivered. TheonFailure()
method now includes an HTTP response if one was returned.
-
v2.4.0-RC1 Changes
2015-05-16
New HttpUrl API. It's like
java.net.URL
but good. Note thatRequest.Builder.url()
now throwsIllegalArgumentException
on malformed URLs. (Previous releases would throw aMalformedURLException
when calling a malformed URL.)We've improved connect failure recovery. We now differentiate between setup, connecting, and connected and implement appropriate recovery rules for each. This changes
Address
to no longer useConnectionSpec
. (This is an incompatible API change).FormEncodingBuilder
now uses%20
instead of+
for encoded spaces. Both are permitted-by-spec, but%20
requires fewer special cases.Okio has been updated to 1.4.0.
<dependency> <groupId>com.squareup.okio</groupId> <artifactId>okio</artifactId> <version>1.4.0</version> </dependency>
Request.Builder
no longer accepts null if a request body is required. Passing null will now fail for request methods that require a body. Instead use an empty body such as this one:RequestBody.create(null, new byte[0]);
CertificatePinner
now supports wildcard hostnames. As always with certificate pinning, you must be very careful to avoid [bricking][brick] your app. You'll need to pin both the top-level domain and the*.
domain for full coverage.client.setCertificatePinner(new CertificatePinner.Builder() .add("publicobject.com", "sha1/DmxUShsZuNiqPQsX2Oi9uv2sCnw=") .add("*.publicobject.com", "sha1/DmxUShsZuNiqPQsX2Oi9uv2sCnw=") .add("publicobject.com", "sha1/SXxoaOSEzPC6BgGmxAt/EAcsajw=") .add("*.publicobject.com", "sha1/SXxoaOSEzPC6BgGmxAt/EAcsajw=") .add("publicobject.com", "sha1/blhOM3W9V/bVQhsWAcLYwPU6n24=") .add("*.publicobject.com", "sha1/blhOM3W9V/bVQhsWAcLYwPU6n24=") .add("publicobject.com", "sha1/T5x9IXmcrQ7YuQxXnxoCmeeQ84c=") .add("*.publicobject.com", "sha1/T5x9IXmcrQ7YuQxXnxoCmeeQ84c=") .build());
Interceptors lists are now deep-copied by
OkHttpClient.clone()
. Previously clones shared interceptors, which made it difficult to customize the interceptors on a request-by-request basis.New:
Headers.toMultimap()
.New:
RequestBody.create(MediaType, ByteString)
.New:
ConnectionSpec.isCompatible(SSLSocket)
.New:
Dispatcher.getQueuedCallCount()
andDispatcher.getRunningCallCount()
. These can be useful in diagnostics.Fix: OkHttp no longer shares timeouts between pooled connections. This was causing some applications to crash when connections were reused.
Fix:
OkApacheClient
now allows an emptyPUT
andPOST
.Fix: Websockets no longer rebuffer socket streams.
Fix: Websockets are now better at handling close frames.
Fix: Content type matching is now case insensitive.
Fix:
Vary
headers are not lost withandroid.net.http.HttpResponseCache
.Fix: HTTP/2 wasn't enforcing stream timeouts when writing the underlying connection. Now it is.
Fix: Never return null on
call.proceed()
. This was a bug in call cancelation.Fix: When a network interceptor mutates a request, that change is now reflected in
Response.networkResponse()
.Fix: Badly-behaving caches now throw a checked exception instead of a
NullPointerException
.Fix: Better handling of uncaught exceptions in MockWebServer with HTTP/2.
-
v2.3.0 Changes
2015-03-16
HTTP/2 support. We've done interop testing and haven't seen any problems. HTTP/2 support has been a big effort and we're particularly thankful to Adrian Cole who has helped us to reach this milestone.
RC4 cipher suites are no longer supported by default. To connect to old, obsolete servers relying on these cipher suites, you must create a custom
ConnectionSpec
.Beta WebSockets support.. The
okhttp-ws
subproject offers a new websockets client. Please try it out! When it's ready we intend to include it with the core OkHttp library.Okio updated to 1.3.0.
<dependency> <groupId>com.squareup.okio</groupId> <artifactId>okio</artifactId> <version>1.3.0</version> </dependency>
Fix: improve parallelism of async requests. OkHttp's Dispatcher had a misconfigured
ExecutorService
that limited the number of worker threads. If you're usingCall.enqueue()
this update should significantly improve request concurrency.Fix: Lazily initialize the response cache. This avoids strict mode warnings when initializing OkHttp on Android‘s main thread.
Fix: Disable ALPN on Android 4.4. That release of the feature was unstable and prone to native crashes in the underlying OpenSSL code.
Fix: Don't send both
If-None-Match
andIf-Modified-Since
cache headers when both are applicable.Fix: Fail early when a port is out of range.
Fix: Offer
Content-Length
headers for multipart request bodies.Fix: Throw
UnknownServiceException
if a cleartext connection is attempted when explicitly forbidden.Fix: Throw a
SSLPeerUnverifiedException
when host verification fails.Fix: MockWebServer explicitly closes sockets. (On some Android releases, closing the input stream and output stream of a socket is not sufficient.
Fix: Buffer outgoing HTTP/2 frames to limit how many outgoing frames are created.
Fix: Avoid crashing when cache writing fails due to a full disk.
Fix: Improve caching of private responses.
Fix: Update cache-by-default response codes.
Fix: Reused
Request.Builder
instances no longer hold stale URL fields.New: ConnectionSpec can now be configured to use the SSL socket's default cipher suites. To use, set the cipher suites to
null
.New: Support
DELETE
with a request body.New:
Headers.of(Map)
creates headers from a Map.
-
v2.2.0 Changes
2014-12-30
RequestBody.contentLength()
now throwsIOException
. This is a source-incompatible change. If you have code that callsRequestBody.contentLength()
, your compile will break with this update. The change is binary-compatible, however: code compiled for OkHttp 2.0 and 2.1 will continue to work with this update.COMPATIBLE_TLS
no longer supports SSLv3. In response to the POODLE vulnerability, OkHttp no longer offers SSLv3 when negotiation an HTTPS connection. If you continue to need to connect to webservers running SSLv3, you must manually configure your ownConnectionSpec
.OkHttp now offers interceptors. Interceptors are a powerful mechanism that can monitor, rewrite, and retry calls. The [interceptors doc][interceptors] is a full introduction to this new API.
New: APIs to iterate and selectively clear the response cache.
New: Support for SOCKS proxies.
New: Support for
TLS_FALLBACK_SCSV
.New: Update HTTP/2 support to
h2-16
andhpack-10
.New: APIs to prevent retrying non-idempotent requests.
Fix: Drop NPN support. Going forward we support ALPN only.
Fix: The hostname verifier is now strict. This is consistent with the hostname verifier in modern browsers.
Fix: Improve
CONNECT
handling for misbehaving HTTP proxies.Fix: Don't retry requests that failed due to timeouts.
Fix: Cache 302s and 308s that include appropriate response headers.
Fix: Improve pooling of connections that use proxy selectors.
Fix: Don't leak connections when using ALPN on the desktop.
Fix: Update Jetty ALPN to
7.1.2.v20141202
(Java 7) and8.1.2.v20141202
(Java 8). This fixes a bug in resumed TLS sessions where the wrong protocol could be selected.Fix: Don't crash in SPDY and HTTP/2 when disconnecting before connecting.
Fix: Avoid a reverse DNS-lookup for a numeric proxy address
Fix: Resurrect http/2 frame logging.
Fix: Limit to 20 authorization attempts.
-
v2.1.0 Changes
2014-11-11
- New: Typesafe APIs for interacting with cipher suites and TLS versions.
- Fix: Don't crash when mixing authorization challenges with upload retries.
-
v2.1.0-RC1 Changes
2014-11-04
OkHttp now caches private responses. We've changed from a shared cache to a private cache, and will now store responses that use an
Authorization
header. This means OkHttp's cache shouldn't be used on middleboxes that sit between user agents and the origin server.TLS configuration updated. OkHttp now explicitly enables TLSv1.2, TLSv1.1 and TLSv1.0 where they are supported. It will continue to perform only one fallback, to SSLv3. Applications can now configure this with the
ConnectionSpec
class.To disable TLS fallback:
client.setConnectionSpecs(Arrays.asList( ConnectionSpec.MODERN_TLS, ConnectionSpec.CLEARTEXT));
To disable cleartext connections, permitting
https
URLs only:client.setConnectionSpecs(Arrays.asList( ConnectionSpec.MODERN_TLS, ConnectionSpec.COMPATIBLE_TLS));
New cipher suites. Please confirm that your webservers are reachable with this limited set of cipher suites.
Android Name Version TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 5.0 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 5.0 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 5.0 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 4.0 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 4.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 4.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 4.0 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 4.0 TLS_ECDHE_RSA_WITH_RC4_128_SHA 4.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA 2.3 TLS_DHE_DSS_WITH_AES_128_CBC_SHA 2.3 TLS_DHE_RSA_WITH_AES_256_CBC_SHA 2.3 TLS_RSA_WITH_AES_128_GCM_SHA256 5.0 TLS_RSA_WITH_AES_128_CBC_SHA 2.3 TLS_RSA_WITH_AES_256_CBC_SHA 2.3 SSL_RSA_WITH_3DES_EDE_CBC_SHA 2.3 (Deprecated in 5.0) SSL_RSA_WITH_RC4_128_SHA 2.3 SSL_RSA_WITH_RC4_128_MD5 2.3 (Deprecated in 5.0)
Okio updated to 1.0.1.
<dependency> <groupId>com.squareup.okio</groupId> <artifactId>okio</artifactId> <version>1.0.1</version> </dependency>
New APIs to permit easy certificate pinning. Be warned, certificate pinning is dangerous and could prevent your application from trusting your server!
Cache improvements. This release fixes some severe cache problems including a bug where the cache could be corrupted upon certain access patterns. We also fixed a bug where the cache was being cleared due to a corrupted journal. We've added APIs to configure a request's
Cache-Control
headers, and to manually clear the cache.Request cancellation fixes. This update fixes a bug where synchronous requests couldn't be canceled by tag. This update avoids crashing when
onResponse()
throws anIOException
. That failure will now be logged instead of notifying the thread's uncaught exception handler. We've added a new API,Call.isCanceled()
to check if a call has been canceled.New: Update
MultipartBuilder
to support content length.New: Make it possible to mock
OkHttpClient
andCall
.New: Update to h2-14 and hpack-9.
New: OkHttp includes a user-agent by default, like
okhttp/2.1.0-RC1
.Fix: Handle response code
308 Permanent Redirect
.Fix: Don't skip the callback if a call is canceled.
Fix: Permit hostnames with underscores.
Fix: Permit overriding the content-type in
OkApacheClient
.Fix: Use the socket factory for direct connections.
Fix: Honor
OkUrlFactory
APIs that disable redirects.Fix: Don't crash on concurrent modification of
SPDY
SPDY settings.