OkHttp now caches private responses. We've changed from a shared cache to a private cache, and will now store responses that use an
Authorizationheader. This means OkHttp's cache shouldn't be used on middleboxes that sit between user agents and the origin server.
TLS configuration updated. OkHttp now explicitly enables TLSv1.2, TLSv1.1 and TLSv1.0 where they are supported. It will continue to perform only one fallback, to SSLv3. Applications can now configure this with the
To disable TLS fallback:
client.setConnectionSpecs(Arrays.asList( ConnectionSpec.MODERN_TLS, ConnectionSpec.CLEARTEXT));
To disable cleartext connections, permitting
client.setConnectionSpecs(Arrays.asList( ConnectionSpec.MODERN_TLS, ConnectionSpec.COMPATIBLE_TLS));
New cipher suites. Please confirm that your webservers are reachable with this limited set of cipher suites.
Android Name Version TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 5.0 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 5.0 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 5.0 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 4.0 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 4.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 4.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 4.0 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 4.0 TLS_ECDHE_RSA_WITH_RC4_128_SHA 4.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA 2.3 TLS_DHE_DSS_WITH_AES_128_CBC_SHA 2.3 TLS_DHE_RSA_WITH_AES_256_CBC_SHA 2.3 TLS_RSA_WITH_AES_128_GCM_SHA256 5.0 TLS_RSA_WITH_AES_128_CBC_SHA 2.3 TLS_RSA_WITH_AES_256_CBC_SHA 2.3 SSL_RSA_WITH_3DES_EDE_CBC_SHA 2.3 (Deprecated in 5.0) SSL_RSA_WITH_RC4_128_SHA 2.3 SSL_RSA_WITH_RC4_128_MD5 2.3 (Deprecated in 5.0)
Okio updated to 1.0.1.
<dependency> <groupId>com.squareup.okio</groupId> <artifactId>okio</artifactId> <version>1.0.1</version> </dependency>
New APIs to permit easy certificate pinning. Be warned, certificate pinning is dangerous and could prevent your application from trusting your server!
Cache improvements. This release fixes some severe cache problems including a bug where the cache could be corrupted upon certain access patterns. We also fixed a bug where the cache was being cleared due to a corrupted journal. We've added APIs to configure a request's
Cache-Controlheaders, and to manually clear the cache.
Request cancellation fixes. This update fixes a bug where synchronous requests couldn't be canceled by tag. This update avoids crashing when
IOException. That failure will now be logged instead of notifying the thread's uncaught exception handler. We've added a new API,
Call.isCanceled()to check if a call has been canceled.
MultipartBuilderto support content length.
New: Make it possible to mock
New: Update to h2-14 and hpack-9.
New: OkHttp includes a user-agent by default, like
Fix: Handle response code
308 Permanent Redirect.
Fix: Don't skip the callback if a call is canceled.
Fix: Permit hostnames with underscores.
Fix: Permit overriding the content-type in
Fix: Use the socket factory for direct connections.
OkUrlFactoryAPIs that disable redirects.
Fix: Don't crash on concurrent modification of
🚀 This release commits to a stable 2.0 API. Read the 2.0.0-RC1 changes for advice ⬆️ on upgrading from 1.x to 2.x.
- API Change: Use
Callback.onFailure(). This is a source-incompatible change, and is different from OkHttp 2.0.0-RC2 which used
- Fix: Fixed a caching bug where we weren't storing rewritten request headers
- Fix: Fixed bugs in handling the SPDY window size. This was stalling certain large downloads
- Update the language level to Java 7. (OkHttp requires Android 2.3+ or Java 7+.)
- API Change: Use
⚡️ This update fixes problems in 2.0.0-RC1. Read the 2.0.0-RC1 changes for ⬆️ advice on upgrading from 1.x to 2.x.
- Fix: Don't leak connections! There was a regression in 2.0.0-RC1 where connections were neither closed nor pooled.
- Fix: Revert builder-style return types from OkHttpClient's timeout methods for binary compatibility with OkHttp 1.x.
- Fix: Don't skip client stream 1 on SPDY/3.1. This fixes SPDY connectivity to
https://google.com, which doesn't follow the SPDY/3.1 spec!
- Fix: Always configure NPN headers. This fixes connectivity to
https://facebook.comwhen SPDY and HTTP/2 are both disabled. Otherwise an unexpected NPN response is received and OkHttp crashes.
- Fix: Write continuation frames when HPACK data is larger than 16383 bytes.
- Fix: Don't drop uncaught exceptions thrown in async calls.
- Fix: Throw an exception eagerly when a request body is not legal. Previously
we ignored the problem at request-building time, only to crash later with a
- Fix: Include a backwards-compatible
- Fix: Don't include a default User-Agent header in requests made with the Call API. Requests made with OkUrlFactory will continue to have a default user agent.
New: Guava-like API to create headers:
Headers headers = Headers.of(name1, value1, name2, value2, ...).
New: Make the content-type header optional for request bodies.
Response.isSuccessful()is a convenient API to check response codes.
New: The response body can now be read outside of the callback. Response bodies must always be closed, otherwise they will leak connections!
New: APIs to create multipart request bodies (
MultipartBuilder) and form encoding bodies (
OkHttp 2 is designed around a new API that is true to HTTP, with classes for requests, responses, headers, and calls. It uses modern Java patterns like 🏗 immutability and chained builders. The API now offers asynchronous callbacks 🔀 in addition to synchronous blocking calls.
New Request and Response types, each with their own builder. There's also a
RequestBodyclass to write the request body to the network and a
ResponseBodyto read the response body from the network. The standalone
Headersclass offers full access to the HTTP headers.
Okio dependency added. OkHttp now depends on Okio, an I/O library that makes it easier to access, store and process data. Using this library internally makes OkHttp faster while consuming less memory. You can write a
RequestBodyas an Okio
ResponseBodyas an Okio
OutputStreamaccess is also available.
New Call and Callback types execute requests and receive their responses. Both types of calls can be canceled via the
URLConnection support has moved to the okhttp-urlconnection module. If you're upgrading from 1.x, this change will impact you. You will need to add the
okhttp-urlconnectionmodule to your project and use the
OkUrlFactoryto create new instances of
// OkHttp 1.x: HttpURLConnection connection = client.open(url); // OkHttp 2.x: HttpURLConnection connection = new OkUrlFactory(client).open(url);
Custom caches are no longer supported. In OkHttp 1.x it was possible to define your own response cache with the
OkResponseCacheinterfaces. Both of these APIs have been dropped. In OkHttp 2 the built-in disk cache is the only supported response cache.
HttpResponseCache has been renamed to Cache. Install it with
OkAuthenticator has been replaced with Authenticator. This new authenticator has access to the full incoming response and can respond with whichever followup request is appropriate. The
Challengeclass is now a top-level class and
Credentialis replaced with a utility class called
OkHttpClient.getFollowProtocolRedirects() renamed to getFollowSslRedirects(). We reserve the word protocol for the HTTP version being used (HTTP/1.1, HTTP/2). The old name of this method was misleading; it was always used to configure redirects between
RouteDatabase is no longer public API. OkHttp continues to track which routes have failed but this is no exposed in the API.
ResponseSource is gone. This enum exposed whether a response came from the cache, network, or both. OkHttp 2 offers more detail with raw access to the cache and network responses in the new
TunnelRequest is gone. It specified how to connect to an HTTP proxy. OkHttp 2 uses the new
Requestclass for this.
Dispatcher is a new class that manages the queue of asynchronous calls. It implements limits on total in-flight calls and in-flight calls per host.
- Support Android
- Drop authentication headers on redirect.
- Added support for compressed data frames.
- Process push promise callbacks in order.
- Update to http/2 draft 12.
- Update to HPACK draft 07.
- Add ALPN support. Maven will use ALPN on OpenJDK 8.
- Update NPN dependency to target
- Ensure SPDY variants support zero-length DELETE and POST.
- Prevent leaking a cache item's InputStreams when metadata read fails.
- Use a string to identify TLS versions in routes.
- Add frame logger for HTTP/2.
Protocol. Expose HTTP/1.0 as a potential protocol.
Protocolto describe framing.
- Implement write timeouts for HTTP/1.1 streams.
- Avoid use of SPDY stream ID 1, as that's typically used for UPGRADE.
- Support OAuth in
- Permit a dangling semicolon in media type parsing.
- Offer bridges to make it easier to migrate from OkHttp 1.x to OkHttp 2.0.
@Deprecatedannotations for APIs dropped in 2.0.
- Offer bridges to make it easier to migrate from OkHttp 1.x to OkHttp 2.0. This adds
- Drop ALPN support in Android. There's a concurrency bug in all currently-shipping versions.
- Support asynchronous disconnects by breaking the socket only. This should prevent flakiness from multiple threads concurrently accessing a stream.
- Fix bug where the Content-Length header was not always dropped when following a redirect from a POST to a GET.
- Implement basic support for
Thread.interrupt(). OkHttp now checks for an interruption before doing a blocking call. If it is interrupted, it throws an
- Fix bug where deleting a file that was absent from the
HttpResponseCachecaused an IOException.
- Fix bug in HTTP/2 where our HPACK decoder wasn't emitting entries in certain eviction scenarios, leading to dropped response headers.
- Fix bug where deleting a file that was absent from the
- Fix 1.5.0 regression where connections should not have been recycled.
- Fix 1.5.0 regression where transparent Gzip was broken by attempting to recover from another I/O failure.
- Fix problems where spdy/3.1 headers may not have been compressed properly.
- Fix problems with spdy/3.1 and http/2 where the wrong window size was being used.
- Fix 1.5.0 regression where conditional cache responses could corrupt the connection pool.
0️⃣ OkHttp no longer uses the default SSL context.
🔧 Applications that want to use the global SSL context with OkHttp should configure their OkHttpClient instances with the following:
0️⃣ A simpler solution is to avoid the shared default SSL socket factory. Instead, if you need to customize SSL, do so for your specific OkHttpClient instance only.
Synthetic headers have changed
Previously OkHttp added a synthetic response header,
OkHttp-Selected-Transport. It has been replaced with a new synthetic header,
- New: Support for
- New: Support for
spdy/3.1. Dropped support for
- New: Use ALPN on Android platforms that support it (4.4+)
- New: CacheControl model and parser.
- New: Protocol selection in MockWebServer.
- Fix: Route selection shouldn't use TLS modes that we know will fail.
- Fix: Cache SPDY responses even if the response body is closed prematurely.
- Fix: Use strict timeouts when aborting a download.
- Fix: Support Shoutcast HTTP responses like
ICY 200 OK.
- Fix: Don't unzip if there isn't a response body.
- Fix: Don't leak gzip streams on redirects.
- Fix: Don't do DNS lookups on invalid hosts.
- Fix: Exhaust the underlying stream when reading gzip streams.
- Fix: Support the
- Fix: Support request bodies on
- Fix: Drop the
- Internal: Replaced internal byte array buffers with pooled buffers ("OkBuffer").
- New: Support for