All Versions
117
Latest Version
Avg Release Cycle
18 days
Latest Release
-

Changelog History
Page 7

  • v3.12.3 Changes

    May 07, 2019

    2019-05-07

    • Fix: Permit multipart file names to contain non-ASCII characters.
    • Fix: Retain the Route when a connection is reused on a redirect or other follow-up. This was causing some Authenticator calls to see a null route when non-null was expected.
  • v3.12.2 Changes

    2019-03-14

    • Fix: Don't crash if the HTTPS server returns no certificates in the TLS handshake.
    • Fix: Don't leak a connection when a call is canceled immediately preceding the onFailure() callback.
  • v3.12.1 Changes

    2018-12-23

    • Fix: Remove overlapping package-info.java. This caused issues with some build tools.
  • v3.12.0 Changes

    2018-11-16

    • OkHttp now supports TLS 1.3. This requires either Conscrypt or Java 11+.

    • Proxy authenticators are now asked for preemptive authentication. OkHttp will now request authentication credentials before creating TLS tunnels through HTTP proxies (HTTP CONNECT). Authenticators should identify preemptive authentications by the presence of a challenge whose scheme is "OkHttp-Preemptive".

    • OkHttp now offers full-operation timeouts. This sets a limit on how long the entire call may take and covers resolving DNS, connecting, writing the request body, server processing, and reading the full response body. If a call requires redirects or retries all must complete within one timeout period.

      Use OkHttpClient.Builder.callTimeout() to specify the default duration and Call.timeout() to specify the timeout of an individual call.

    • New: Return values and fields are now non-null unless otherwise annotated.

    • New: LoggingEventListener makes it easy to get basic visibility into a call's performance. This class is in the logging-interceptor artifact.

    • New: Headers.Builder.addUnsafeNonAscii() allows non-ASCII values to be added without an immediate exception.

    • New: Headers can be redacted in HttpLoggingInterceptor.

    • New: Headers.Builder now accepts dates.

    • New: OkHttp now accepts java.time.Duration for timeouts on Java 8+ and Android 26+.

    • New: Challenge includes all authentication parameters.

    • New: Upgrade to BouncyCastle 1.60, Conscrypt 1.4.0, and Okio 1.15.0. We don't yet require Kotlin-friendly Okio 2.x but OkHttp works fine with that series.

      implementation("org.bouncycastle:bcprov-jdk15on:1.60")
      implementation("org.conscrypt:conscrypt-openjdk-uber:1.4.0")
      implementation("com.squareup.okio:okio:1.15.0")
      
    • Fix: Handle dispatcher executor shutdowns gracefully. When there aren't any threads to carry a call its callback now gets a RejectedExecutionException.

    • Fix: Don't permanently cache responses with Cache-Control: immutable. We misunderstood the original immutable proposal!

    • Fix: Change Authenticator's Route parameter to be nullable. This was marked as non-null but could be called with null in some cases.

    • Fix: Don't create malformed URLs when MockWebServer is reached via an IPv6 address.

    • Fix: Don't crash if the system default authenticator is null.

    • Fix: Don't crash generating elliptic curve certificates on Android.

    • Fix: Don't crash doing platform detection on RoboVM.

    • Fix: Don't leak socket connections when web socket upgrades fail.

  • v3.11.0 Changes

    2018-07-12

    • OkHttp's new okhttp-tls submodule tames HTTPS and TLS.

      HeldCertificate is a TLS certificate and its private key. Generate a certificate with its builder then use it to sign another certificate or perform a TLS handshake. The certificatePem() method encodes the certificate in the familiar PEM format (--- BEGIN CERTIFICATE ---); the privateKeyPkcs8Pem() does likewise for the private key.

      HandshakeCertificates holds the TLS certificates required for a TLS handshake. On the server it keeps your HeldCertificate and its chain. On the client it keeps the root certificates that are trusted to sign a server's certificate chain. HandshakeCertificates also works with mutual TLS where these roles are reversed.

      These classes make it possible to enable HTTPS in MockWebServer in [just a few lines of code][https_server_sample].

    • OkHttp now supports prior knowledge cleartext HTTP/2. Enable this by setting Protocol.H2_PRIOR_KNOWLEDGE as the lone protocol on an OkHttpClient.Builder. This mode only supports http: URLs and is best suited in closed environments where HTTPS is inappropriate.

    • New: HttpUrl.get(String) is an alternative to HttpUrl.parse(String) that throws an exception when the URL is malformed instead of returning null. Use this to avoid checking for null in situations where the input is known to be well-formed. We've also added MediaType.get(String) which is an exception-throwing alternative to MediaType.parse(String).

    • New: The EventListener API previewed in OkHttp 3.9 has graduated to a stable API. Use this interface to track metrics and monitor HTTP requests' size and duration.

    • New: okhttp-dnsoverhttps is an experimental API for doing DNS queries over HTTPS. Using HTTPS for DNS offers better security and potentially better performance. This feature is a preview: the API is subject to change.

    • New: okhttp-sse is an early preview of Server-Sent Events (SSE). This feature is incomplete and is only suitable for experimental use.

    • New: MockWebServer now supports client authentication (mutual TLS). Call requestClientAuth() to permit an optional client certificate or requireClientAuth() to require one.

    • New: RecordedRequest.getHandshake() returns the HTTPS handshake of a request sent to MockWebServer.

    • Fix: Honor the MockResponse header delay in MockWebServer.

    • Fix: Don't release HTTP/2 connections that have multiple canceled calls. We had a bug where canceling calls would cause the shared HTTP/2 connection to be unnecessarily released. This harmed connection reuse.

    • Fix: Ensure canceled and discarded HTTP/2 data is not permanently counted against the limited flow control window. We had a few bugs where window size accounting was broken when streams were canceled or reset.

    • Fix: Recover gracefully if the TLS session returns an unexpected version (NONE) or cipher suite (SSL_NULL_WITH_NULL_NULL).

    • Fix: Don't change Conscrypt configuration globally. We migrated from a process-wide setting to configuring only OkHttp's TLS sockets.

    • Fix: Prefer TLSv1.2 where it is available. On certain older platforms it is necessary to opt-in to TLSv1.2.

    • New: Request.tag() permits multiple tags. Use a Class<?> as a key to identify tags. Note that tag() now returns null if the request has no tag. Previously this would return the request itself.

    • New: Headers.Builder.addAll(Headers).

    • New: ResponseBody.create(MediaType, ByteString).

    • New: Embed R8/ProGuard rules in the jar. These will be applied automatically by R8.

    • Fix: Release the connection if Authenticator throws an exception.

    • Fix: Change the declaration of OkHttpClient.cache() to return a @Nullable Cache. The return value has always been nullable but it wasn't declared properly.

    • Fix: Reverse suppression of connect exceptions. When both a call and its retry fail, we now throw the initial exception which is most likely to be actionable.

    • Fix: Retain interrupted state when throwing InterruptedIOException. A single interrupt should now be sufficient to break out an in-flight OkHttp call.

    • Fix: Don't drop a call to EventListener.callEnd() when the response body is consumed inside an interceptor.

  • v3.10.0 Changes

    2018-02-24

    • The pingInterval() feature now aggressively checks connectivity for web sockets and HTTP/2 connections.

      Previously if you configured a ping interval that would cause OkHttp to send pings, but it did not track whether the reply pongs were received. With this update OkHttp requires that every ping receive a response: if it does not the connection will be closed and the listener's onFailure() method will be called.

      Web sockets have always been had pings, but pings on HTTP/2 connections is new in this release. Pings are used for connections that are busy carrying calls and for idle connections in the connection pool. (Pings do not impact when pooled connections are evicted).

      If you have a configured ping interval, you should confirm that it is long enough for a roundtrip from client to server. If your ping interval is too short, slow connections may be misinterpreted as failed connections. A ping interval of 30 seconds is reasonable for most use cases.

    • OkHttp now supports [Conscrypt][conscrypt]. Conscrypt is a Java Security Provider that integrates BoringSSL into the Java platform. Conscrypt supports more cipher suites than the JVM’s default provider and may also execute more efficiently.

      To use it, first register a [Conscrypt dependency][conscrypt_dependency] in your build system.

      OkHttp will use Conscrypt if you set the okhttp.platform system property to conscrypt.

      Alternatively, OkHttp will also use Conscrypt if you install it as your preferred security provider. To do so, add the following code to execute before you create your OkHttpClient.

      Security.insertProviderAt(
          new org.conscrypt.OpenSSLProvider(), 1);
      

      Conscrypt is the bundled security provider on Android so it is not necessary to configure it on that platform.

    • New: HttpUrl.addQueryParameter() percent-escapes more characters. Previously several ASCII punctuation characters were not percent-escaped when used with this method. This does not impact already-encoded query parameters in APIs like HttpUrl.parse() and HttpUrl.Builder.addEncodedQueryParameter().

    • New: CBC-mode ECDSA cipher suites have been removed from OkHttp's default configuration: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA and TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA. This tracks a [Chromium change][remove_cbc_ecdsa] to remove these cipher suites because they are fragile and rarely-used.

    • New: Don't fall back to common name (CN) verification for hostnames. This behavior was deprecated with RFC 2818 in May 2000 and was recently dropped from major web browsers.

    • New: Honor the Retry-After response header. HTTP 503 (Unavailable) responses are retried automatically if this header is present and its delay is 0 seconds. HTTP 408 (Client Timeout) responses are retried automatically if the header is absent or its delay is 0 seconds.

    • New: Allow request bodies for all HTTP methods except GET and HEAD.

    • New: Automatic module name of okhttp3 for use with the Java Platform Module System.

    • New: Log gzipped bodies when HttpLoggingInterceptor is used as a network interceptor.

    • New: Protocol.QUIC constant. This protocol is not supported but this constant is included for completeness.

    • New: Upgrade to Okio 1.14.0.

       <dependency>
         <groupId>com.squareup.okio</groupId>
         <artifactId>okio</artifactId>
         <version>1.14.0</version>
       </dependency>
      
       com.squareup.okio:okio:1.14.0
      
    • Fix: Handle HTTP/1.1 100 Continue status lines, even on requests that did not send the Expect: continue request header.

    • Fix: Do not count web sockets toward the dispatcher's per-host connection limit.

    • Fix: Avoid using invalid HTTPS sessions. This prevents OkHttp from crashing with the error, Unexpected TLS version: NONE.

    • Fix: Don't corrupt the response cache when a 304 (Not Modified) response overrides the stored "Content-Encoding" header.

    • Fix: Gracefully shut down the HTTP/2 connection before it exhausts the namespace of stream IDs (~536 million streams).

    • Fix: Never pass a null Route to Authenticator. There was a bug where routes were omitted for eagerly-closed connections.

  • v3.9.1 Changes

    2017-11-18

    • New: Recover gracefully when Android's DNS crashes with an unexpected NullPointerException.
    • New: Recover gracefully when Android's socket connections crash with an unexpected ClassCastException.
    • Fix: Don't include the URL's fragment in encodedQuery() when the query itself is empty.
  • v3.9.0 Changes

    2017-09-03

    • Interceptors are more capable. The Chain interface now offers access to the call and can adjust all call timeouts. Note that this change is source-incompatible for code that implements the Chain interface. We don't expect this to be a problem in practice!

    • OkHttp has an experimental new API for tracking metrics. The new EventListener API is designed to help developers monitor HTTP requests' size and duration. This feature is an unstable preview: the API is subject to change, and the implementation is incomplete. This is a big new API we are eager for feedback.

    • New: Support ALPN via Google Play Services' Dynamic Security Provider. This expands HTTP/2 support to older Android devices that have Google Play Services.

    • New: Consider all routes when looking for candidate coalesced connections. This increases the likelihood that HTTP/2 connections will be shared.

    • New: Authentication challenges and credentials now use a charset. Use this in your authenticator to support user names and passwords with non-ASCII characters.

    • New: Accept a charset in FormBody.Builder. Previously form bodies were always UTF-8.

    • New: Support the immutable cache-control directive.

    • Fix: Don't crash when an HTTP/2 call is redirected while the connection is being shut down.

    • Fix: Don't drop headers of healthy streams that raced with GOAWAY frames. This bug would cause HTTP/2 streams to occasional hang when the connection was shutting down.

    • Fix: Honor OkHttpClient.retryOnConnectionFailure() when the response is a HTTP 408 Request Timeout. If retries are enabled, OkHttp will retry exactly once in response to a 408.

    • Fix: Don't crash when reading the empty HEAD response body if it specifies a Content-Length.

    • Fix: Don't crash if the thread is interrupted while reading the public suffix database.

    • Fix: Use relative resource path when loading the public suffix database. Loading the resource using a path relative to the class prevents conflicts when the OkHttp classes are relocated (shaded) by allowing multiple private copies of the database.

    • Fix: Accept cookies for URLs that have an IPv6 address for a host.

    • Fix: Don't log the protocol (HTTP/1.1, h2) in HttpLoggingInterceptor if the protocol isn't negotiated yet! Previously we'd log HTTP/1.1 by default, and this was confusing.

    • Fix: Omit the message from MockWebServer's HTTP/2 :status header.

    • Fix: Handle 'Expect: 100 Continue' properly in MockWebServer.

  • v3.8.1 Changes

    2017-06-18

    • Fix: Recover gracefully from stale coalesced connections. We had a bug where connection coalescing (introduced in OkHttp 3.7.0) and stale connection recovery could interact to cause a NoSuchElementException crash in the RouteSelector.
  • v3.8.0 Changes

    2017-05-13

    • OkHttp now uses @Nullable to annotate all possibly-null values. We've added a compile-time dependency on the JSR 305 annotations. This is a [provided][maven_provided] dependency and does not need to be included in your build configuration, .jar file, or .apk. We use @ParametersAreNonnullByDefault and all parameters and return types are never null unless explicitly annotated @Nullable.

    • Warning: this release is source-incompatible for Kotlin users. Nullability was previously ambiguous and lenient but now the compiler will enforce strict null checks.

    • New: The response message is now non-null. This is the "Not Found" in the status line "HTTP 404 Not Found". If you are building responses programmatically (with new Response.Builder()) you must now always supply a message. An empty string "" is permitted. This value was never null on responses returned by OkHttp itself, and it was an old mistake to permit application code to omit a message.

    • The challenge's scheme and realm are now non-null. If you are calling new Challenge(scheme, realm) you must provide non-null values. These were never null in challenges created by OkHttp, but could have been null in application code that creates challenges.

    • New: The TlsVersion of a Handshake is now non-null. If you are calling Handshake.get() with a null TLS version, you must instead now provide a non-null TlsVersion. Cache responses persisted prior to OkHttp 3.0 did not store a TLS version; for these unknown values the handshake is defaulted to TlsVersion.SSL_3_0.

    • New: Upgrade to Okio 1.13.0.

       <dependency>
         <groupId>com.squareup.okio</groupId>
         <artifactId>okio</artifactId>
         <version>1.13.0</version>
       </dependency>
      
       com.squareup.okio:okio:1.13.0
      
    • Fix: gracefully recover when Android 7.0's sockets throw an unexpected NullPointerException.