- OkHttp no longer recovers from TLS handshake failures by attempting a TLSv1 connection. The fallback was necessary for servers that implemented version negotiation incorrectly. Now that 99.99% of servers do it right this fallback is obsolete.
- Fix: Do not honor cookies set on a public domain. Previously a malicious site could inject
cookies on top-level domains like
co.ukbecause our cookie parser didn't honor the [public suffix][public_suffix] list. Alongside this fix is a new API,
HttpUrl.topPrivateDomain(), which returns the privately domain name if the URL has one.
- Fix: Change
MediaType.charset()to return null for unexpected charsets.
- Fix: Don't skip cache invalidation if the invalidating response has no body.
- Fix: Don't use a cryptographic random number generator for web sockets. Some Android devices
- Fix: Correctly canonicalize IPv6 addresses in
HttpUrl. This prevented OkHttp from trusting HTTPS certificates issued to certain IPv6 addresses.
- Fix: Don't reuse connections after an unsuccessful
- Fix: Handle either
SSL_prefixes for cipher suite names. This is necessary for IBM JVMs that use the
- Fix: Reject HTTP/2 data frames if the stream ID is 0.
New: Upgrade to Okio 1.12.0.
<dependency> <groupId>com.squareup.okio</groupId> <artifactId>okio</artifactId> <version>1.12.0</version> </dependency> com.squareup.okio:okio:1.12.0
New: Connection coalescing. OkHttp may reuse HTTP/2 connections across calls that share an IP address and HTTPS certificate, even if their domain names are different.
RecordedRequestexposes the requested
- Fix: Don't crash with a "cache is closed" error when there is an error initializing the cache.
- Fix: Calling
disconnect()on a connecting
HttpUrlConnectioncould cause it to retry in an infinite loop! This regression was introduced in OkHttp 2.7.0.
- Fix: Drop cookies that contain ASCII NULL and other bad characters. Previously such cookies would cause OkHttp to crash when they were included in a request.
- Fix: Release duplicated multiplexed connections. If we concurrently establish connections to an HTTP/2 server, close all but the first connection.
- Fix: Fail the HTTP/2 connection if first frame isn't
- Fix: Forbid spaces in header names.
- Fix: Don't offer to do gzip if the request is partial.
- Fix: MockWebServer is now usable with JUnit 5. That update [broke the rules][junit_5_rules].
- New: Support
Expect: 100-continueas a request header. Callers can use this header to pessimistically hold off on transmitting a request body until a server gives the go-ahead.
- New: Permit network interceptors to rewrite the host header for HTTP/2. This makes it possible to do domain fronting.
- New: charset support for
Web Sockets are now a stable feature of OkHttp. Since being introduced as a beta feature in OkHttp 2.3 our web socket client has matured. Connect to a server's web socket with
OkHttpClient.newWebSocket(), send messages with
send(), and receive messages with the
okhttp-wssubmodule is no longer available and
okhttp-wsartifacts from previous releases of OkHttp are not compatible with OkHttp 3.5. When upgrading to the new package please note that the
WebSocketCallclasses have been merged. Sending messages is now asynchronous and they may be enqueued before the web socket is connected.
OkHttp no longer attempts a direct connection if the system's HTTP proxy fails. This behavior was surprising because OkHttp was disregarding the user's specified configuration. If you need to customize proxy fallback behavior, implement your own
Fix: Support TLSv1.3 on devices that support it.
Fix: Share pooled connections across equivalent
OkHttpClientinstances. Previous releases had a bug where a shared connection pool did not guarantee shared connections in some cases.
Fix: Prefer the server's response body on all conditional cache misses. Previously we would return the cached response's body if it had a newer
Fix: Update the stored timestamp on conditional cache hits.
New: Optimized HTTP/2 request header encoding. More headers are HPACK-encoded and string literals are now Huffman-encoded.
Partheaders and body in
ResponseBody.charStream()BOM-aware. If your HTTP response body begins with a [byte order mark][bom] it will be consumed and used to select a charset for the remaining bytes. Most applications should not need a byte order mark.
New: Upgrade to Okio 1.11.0.
<dependency> <groupId>com.squareup.okio</groupId> <artifactId>okio</artifactId> <version>1.11.0</version> </dependency> com.squareup.okio:okio:1.11.0
Fix: Avoid sending empty HTTP/2 data frames when there is no request body.
Fix: Add a leading
.for better domain matching in
Fix: Gracefully recover from HTTP/2 connection shutdowns at start of request.
Fix: Be lenient if a
MediaType's character set is
Fix: Allow horizontal tab characters in header values.
Fix: When parsing HTTP authentication headers permit challenge parameters in any order.
- Fix: Recover gracefully when an HTTP/2 connection is shutdown. We had a bug where shutdown HTTP/2 connections were considered usable. This caused infinite loops when calls attempted to recover.
- Fix a major bug in encoding HTTP headers. In 3.4.0 and 3.4.0-RC1 OkHttp had an off-by-one bug in our HPACK encoder. This bug could have caused the wrong headers to be emitted after a sequence of HTTP/2 requests! Everyone who is using OkHttp 3.4.0 or 3.4.0-RC1 should upgrade for this bug fix.
- New: Support dynamic table size changes to HPACK Encoder.
- Fix: Use
Headers.toMultimap(). This makes string lookups on the returned map case-insensitive.
- Fix: Don't share the OkHttpClient's
We’ve rewritten HttpURLConnection and HttpsURLConnection. Previously we shared a single HTTP engine between two frontend APIs:
Call. With this release we’ve rearranged things so that the
HttpURLConnectionfrontend now delegates to the
CallAPIs internally. This has enabled substantial simplifications and optimizations in the OkHttp core for both frontends.
For most HTTP requests the consequences of this change will be negligible. If your application uses
setChunkedStreamingMode(), OkHttp will now use a async dispatcher thread to establish the HTTP connection.
We don’t expect this change to have any behavior or performance consequences. Regardless, please exercise your
HttpURLConnectioncode when applying this update.
Cipher suites may now have arbitrary names. Previously
CipherSuitewas a Java enum and it was impossible to define new cipher suites without first upgrading OkHttp. With this change it is now a regular Java class with enum-like constants. Application code that uses enum methods on cipher suites (
name(), etc.) will break with this change.
CertificatePinnernow matches canonicalized hostnames. Previously this was case sensitive. This change should also make it easier to configure certificate pinning for internationalized domain names.
Fix: Don’t crash on non-ASCII
ETagheaders. Previously OkHttp would reject these headers when validating a cached response.
Fix: Don’t allow remote peer to arbitrarily size the HPACK decoder dynamic table.
Fix: Honor per-host configuration in Android’s network security config. Previously disabling cleartext for any host would disable cleartext for all hosts. Note that this setting is only available on Android 24+.
New: HPACK compression is now dynamic. This should improve performance when transmitting request headers over HTTP/2.
Dispatcher.setIdleCallback()can be used to signal when there are no calls in flight. This is useful for [testing with Espresso][okhttp_idling_resource].
New: Upgrade to Okio 1.9.0.
<dependency> <groupId>com.squareup.okio</groupId> <artifactId>okio</artifactId> <version>1.9.0</version> </dependency>
- Fix: The plaintext check in HttpLoggingInterceptor incorrectly classified newline characters as control characters. This is fixed.
- Fix: Don't crash reading non-ASCII characters in HTTP/2 headers or in cached HTTP headers.
- Fix: Retain the response body when an attempt to open a web socket returns a non-101 response code.
receivedResponseAtMillis()methods track the system's local time when network calls are made. These replace the
OkHttp-Received-Millisheaders that were present in earlier versions of OkHttp.
- New: Accept user-provided trust managers in
OkHttpClient.Builder. This allows OkHttp to satisfy its TLS requirements directly. Otherwise OkHttp will use reflection to extract the
- New: Support prerelease Java 9. This gets ALPN from the platform rather than relying on the alpn-boot bootclasspath override.
HttpLoggingInterceptornow logs connection failures.
New: Upgrade to Okio 1.8.0.
<dependency> <groupId>com.squareup.okio</groupId> <artifactId>okio</artifactId> <version>1.8.0</version> </dependency>
Fix: Gracefully recover from a failure to rebuild the cache journal.
Fix: Don't corrupt cache entries when a cache entry is evicted while it is being updated.
Fix: Make logging more consistent throughout OkHttp.
Fix: Log plaintext bodies only. This uses simple heuristics to differentiate text from other data.
Fix: Recover from
REFUSED_STREAMerrors in HTTP/2. This should improve interoperability with Nginx 1.10.0, which [refuses][nginx_959] streams created before HTTP/2 settings have been acknowledged.
Fix: Improve recovery from failed routes.
Fix: Accommodate tunneling proxies that close the connection after an auth challenge.
Fix: Use the proxy authenticator when authenticating HTTP proxies. This regression was introduced in OkHttp 3.0.
Fix: Fail fast if network interceptors transform the response body such that closing it doesn't also close the underlying stream. We had a bug where OkHttp would attempt to reuse a connection but couldn't because it was still held by a prior request.
Fix: Ensure network interceptors always have access to the underlying connection.
X509TrustManagerExtensionson Android 17+.
Fix: Unblock waiting dispatchers on MockWebServer shutdown.
- Fix: Change the certificate pinner to always build full chains. This prevents a potential crash when using certificate pinning with the Google Play Services security provider.
- Fix: Make IPv6 request lines consistent with Firefox and Chrome.
- Fix: Recover gracefully when trimming the response cache fails.
- New: Add multiple path segments using a single string in
- New: Support SHA-256 pins in certificate pinner.