« Changelog History


okhttp v3.7.0 Release Notes

  • 2017-04-15

    • OkHttp no longer recovers from TLS handshake failures by attempting a TLSv1 connection. The fallback was necessary for servers that implemented version negotiation incorrectly. Now that 99.99% of servers do it right this fallback is obsolete.
    • Fix: Do not honor cookies set on a public domain. Previously a malicious site could inject cookies on top-level domains like co.uk because our cookie parser didn't honor the [public suffix][public_suffix] list. Alongside this fix is a new API, HttpUrl.topPrivateDomain(), which returns the privately domain name if the URL has one.
    • Fix: Change MediaType.charset() to return null for unexpected charsets.
    • Fix: Don't skip cache invalidation if the invalidating response has no body.
    • Fix: Don't use a cryptographic random number generator for web sockets. Some Android devices implement SecureRandom incorrectly!
    • Fix: Correctly canonicalize IPv6 addresses in HttpUrl. This prevented OkHttp from trusting HTTPS certificates issued to certain IPv6 addresses.
    • Fix: Don't reuse connections after an unsuccessful Expect: 100-continue.
    • Fix: Handle either TLS_ or SSL_ prefixes for cipher suite names. This is necessary for IBM JVMs that use the SSL_ prefix exclusively.
    • Fix: Reject HTTP/2 data frames if the stream ID is 0.

    • New: Upgrade to Okio 1.12.0.

       <dependency>
   <groupId>com.squareup.okio</groupId>
   <artifactId>okio</artifactId>
   <version>1.12.0</version>
 </dependency>

 com.squareup.okio:okio:1.12.0

    • New: Connection coalescing. OkHttp may reuse HTTP/2 connections across calls that share an IP address and HTTPS certificate, even if their domain names are different.

    • New: MockWebServer's RecordedRequest exposes the requested HttpUrl with getRequestUrl().