Changelog History
Page 7
-
v3.12.3 Changes
May 07, 20192019-05-07
- Fix: Permit multipart file names to contain non-ASCII characters.
- Fix: Retain the
Route
when a connection is reused on a redirect or other follow-up. This was causing someAuthenticator
calls to see a null route when non-null was expected.
-
v3.12.2 Changes
2019-03-14
- Fix: Don't crash if the HTTPS server returns no certificates in the TLS handshake.
- Fix: Don't leak a connection when a call is canceled immediately preceding the
onFailure()
callback.
-
v3.12.1 Changes
2018-12-23
- Fix: Remove overlapping
package-info.java
. This caused issues with some build tools.
- Fix: Remove overlapping
-
v3.12.0 Changes
2018-11-16
OkHttp now supports TLS 1.3. This requires either Conscrypt or Java 11+.
Proxy authenticators are now asked for preemptive authentication. OkHttp will now request authentication credentials before creating TLS tunnels through HTTP proxies (HTTP
CONNECT
). Authenticators should identify preemptive authentications by the presence of a challenge whose scheme is "OkHttp-Preemptive".OkHttp now offers full-operation timeouts. This sets a limit on how long the entire call may take and covers resolving DNS, connecting, writing the request body, server processing, and reading the full response body. If a call requires redirects or retries all must complete within one timeout period.
Use
OkHttpClient.Builder.callTimeout()
to specify the default duration andCall.timeout()
to specify the timeout of an individual call.New: Return values and fields are now non-null unless otherwise annotated.
New:
LoggingEventListener
makes it easy to get basic visibility into a call's performance. This class is in thelogging-interceptor
artifact.New:
Headers.Builder.addUnsafeNonAscii()
allows non-ASCII values to be added without an immediate exception.New: Headers can be redacted in
HttpLoggingInterceptor
.New:
Headers.Builder
now accepts dates.New: OkHttp now accepts
java.time.Duration
for timeouts on Java 8+ and Android 26+.New:
Challenge
includes all authentication parameters.New: Upgrade to BouncyCastle 1.60, Conscrypt 1.4.0, and Okio 1.15.0. We don't yet require Kotlin-friendly Okio 2.x but OkHttp works fine with that series.
implementation("org.bouncycastle:bcprov-jdk15on:1.60") implementation("org.conscrypt:conscrypt-openjdk-uber:1.4.0") implementation("com.squareup.okio:okio:1.15.0")
Fix: Handle dispatcher executor shutdowns gracefully. When there aren't any threads to carry a call its callback now gets a
RejectedExecutionException
.Fix: Don't permanently cache responses with
Cache-Control: immutable
. We misunderstood the originalimmutable
proposal!Fix: Change
Authenticator
'sRoute
parameter to be nullable. This was marked as non-null but could be called with null in some cases.Fix: Don't create malformed URLs when
MockWebServer
is reached via an IPv6 address.Fix: Don't crash if the system default authenticator is null.
Fix: Don't crash generating elliptic curve certificates on Android.
Fix: Don't crash doing platform detection on RoboVM.
Fix: Don't leak socket connections when web socket upgrades fail.
-
v3.11.0 Changes
2018-07-12
OkHttp's new okhttp-tls submodule tames HTTPS and TLS.
HeldCertificate
is a TLS certificate and its private key. Generate a certificate with its builder then use it to sign another certificate or perform a TLS handshake. ThecertificatePem()
method encodes the certificate in the familiar PEM format (--- BEGIN CERTIFICATE ---
); theprivateKeyPkcs8Pem()
does likewise for the private key.HandshakeCertificates
holds the TLS certificates required for a TLS handshake. On the server it keeps yourHeldCertificate
and its chain. On the client it keeps the root certificates that are trusted to sign a server's certificate chain.HandshakeCertificates
also works with mutual TLS where these roles are reversed.These classes make it possible to enable HTTPS in MockWebServer in [just a few lines of code][https_server_sample].
OkHttp now supports prior knowledge cleartext HTTP/2. Enable this by setting
Protocol.H2_PRIOR_KNOWLEDGE
as the lone protocol on anOkHttpClient.Builder
. This mode only supportshttp:
URLs and is best suited in closed environments where HTTPS is inappropriate.New:
HttpUrl.get(String)
is an alternative toHttpUrl.parse(String)
that throws an exception when the URL is malformed instead of returning null. Use this to avoid checking for null in situations where the input is known to be well-formed. We've also addedMediaType.get(String)
which is an exception-throwing alternative toMediaType.parse(String)
.New: The
EventListener
API previewed in OkHttp 3.9 has graduated to a stable API. Use this interface to track metrics and monitor HTTP requests' size and duration.New:
okhttp-dnsoverhttps
is an experimental API for doing DNS queries over HTTPS. Using HTTPS for DNS offers better security and potentially better performance. This feature is a preview: the API is subject to change.New:
okhttp-sse
is an early preview of Server-Sent Events (SSE). This feature is incomplete and is only suitable for experimental use.New: MockWebServer now supports client authentication (mutual TLS). Call
requestClientAuth()
to permit an optional client certificate orrequireClientAuth()
to require one.New:
RecordedRequest.getHandshake()
returns the HTTPS handshake of a request sent toMockWebServer
.Fix: Honor the
MockResponse
header delay in MockWebServer.Fix: Don't release HTTP/2 connections that have multiple canceled calls. We had a bug where canceling calls would cause the shared HTTP/2 connection to be unnecessarily released. This harmed connection reuse.
Fix: Ensure canceled and discarded HTTP/2 data is not permanently counted against the limited flow control window. We had a few bugs where window size accounting was broken when streams were canceled or reset.
Fix: Recover gracefully if the TLS session returns an unexpected version (
NONE
) or cipher suite (SSL_NULL_WITH_NULL_NULL
).Fix: Don't change Conscrypt configuration globally. We migrated from a process-wide setting to configuring only OkHttp's TLS sockets.
Fix: Prefer TLSv1.2 where it is available. On certain older platforms it is necessary to opt-in to TLSv1.2.
New:
Request.tag()
permits multiple tags. Use aClass<?>
as a key to identify tags. Note thattag()
now returns null if the request has no tag. Previously this would return the request itself.New:
Headers.Builder.addAll(Headers)
.New:
ResponseBody.create(MediaType, ByteString)
.New: Embed R8/ProGuard rules in the jar. These will be applied automatically by R8.
Fix: Release the connection if
Authenticator
throws an exception.Fix: Change the declaration of
OkHttpClient.cache()
to return a@Nullable Cache
. The return value has always been nullable but it wasn't declared properly.Fix: Reverse suppression of connect exceptions. When both a call and its retry fail, we now throw the initial exception which is most likely to be actionable.
Fix: Retain interrupted state when throwing
InterruptedIOException
. A single interrupt should now be sufficient to break out an in-flight OkHttp call.Fix: Don't drop a call to
EventListener.callEnd()
when the response body is consumed inside an interceptor.
-
v3.10.0 Changes
2018-02-24
The pingInterval() feature now aggressively checks connectivity for web sockets and HTTP/2 connections.
Previously if you configured a ping interval that would cause OkHttp to send pings, but it did not track whether the reply pongs were received. With this update OkHttp requires that every ping receive a response: if it does not the connection will be closed and the listener's
onFailure()
method will be called.Web sockets have always been had pings, but pings on HTTP/2 connections is new in this release. Pings are used for connections that are busy carrying calls and for idle connections in the connection pool. (Pings do not impact when pooled connections are evicted).
If you have a configured ping interval, you should confirm that it is long enough for a roundtrip from client to server. If your ping interval is too short, slow connections may be misinterpreted as failed connections. A ping interval of 30 seconds is reasonable for most use cases.
OkHttp now supports [Conscrypt][conscrypt]. Conscrypt is a Java Security Provider that integrates BoringSSL into the Java platform. Conscrypt supports more cipher suites than the JVM’s default provider and may also execute more efficiently.
To use it, first register a [Conscrypt dependency][conscrypt_dependency] in your build system.
OkHttp will use Conscrypt if you set the
okhttp.platform
system property toconscrypt
.Alternatively, OkHttp will also use Conscrypt if you install it as your preferred security provider. To do so, add the following code to execute before you create your
OkHttpClient
.Security.insertProviderAt( new org.conscrypt.OpenSSLProvider(), 1);
Conscrypt is the bundled security provider on Android so it is not necessary to configure it on that platform.
New:
HttpUrl.addQueryParameter()
percent-escapes more characters. Previously several ASCII punctuation characters were not percent-escaped when used with this method. This does not impact already-encoded query parameters in APIs likeHttpUrl.parse()
andHttpUrl.Builder.addEncodedQueryParameter()
.New: CBC-mode ECDSA cipher suites have been removed from OkHttp's default configuration:
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
andTLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
. This tracks a [Chromium change][remove_cbc_ecdsa] to remove these cipher suites because they are fragile and rarely-used.New: Don't fall back to common name (CN) verification for hostnames. This behavior was deprecated with RFC 2818 in May 2000 and was recently dropped from major web browsers.
New: Honor the
Retry-After
response header. HTTP 503 (Unavailable) responses are retried automatically if this header is present and its delay is 0 seconds. HTTP 408 (Client Timeout) responses are retried automatically if the header is absent or its delay is 0 seconds.New: Allow request bodies for all HTTP methods except GET and HEAD.
New: Automatic module name of
okhttp3
for use with the Java Platform Module System.New: Log gzipped bodies when
HttpLoggingInterceptor
is used as a network interceptor.New:
Protocol.QUIC
constant. This protocol is not supported but this constant is included for completeness.New: Upgrade to Okio 1.14.0.
<dependency> <groupId>com.squareup.okio</groupId> <artifactId>okio</artifactId> <version>1.14.0</version> </dependency> com.squareup.okio:okio:1.14.0
Fix: Handle
HTTP/1.1 100 Continue
status lines, even on requests that did not send theExpect: continue
request header.Fix: Do not count web sockets toward the dispatcher's per-host connection limit.
Fix: Avoid using invalid HTTPS sessions. This prevents OkHttp from crashing with the error,
Unexpected TLS version: NONE
.Fix: Don't corrupt the response cache when a 304 (Not Modified) response overrides the stored "Content-Encoding" header.
Fix: Gracefully shut down the HTTP/2 connection before it exhausts the namespace of stream IDs (~536 million streams).
Fix: Never pass a null
Route
toAuthenticator
. There was a bug where routes were omitted for eagerly-closed connections.
-
v3.9.1 Changes
2017-11-18
- New: Recover gracefully when Android's DNS crashes with an unexpected
NullPointerException
. - New: Recover gracefully when Android's socket connections crash with an
unexpected
ClassCastException
. - Fix: Don't include the URL's fragment in
encodedQuery()
when the query itself is empty.
- New: Recover gracefully when Android's DNS crashes with an unexpected
-
v3.9.0 Changes
2017-09-03
Interceptors are more capable. The
Chain
interface now offers access to the call and can adjust all call timeouts. Note that this change is source-incompatible for code that implements theChain
interface. We don't expect this to be a problem in practice!OkHttp has an experimental new API for tracking metrics. The new
EventListener
API is designed to help developers monitor HTTP requests' size and duration. This feature is an unstable preview: the API is subject to change, and the implementation is incomplete. This is a big new API we are eager for feedback.New: Support ALPN via Google Play Services' Dynamic Security Provider. This expands HTTP/2 support to older Android devices that have Google Play Services.
New: Consider all routes when looking for candidate coalesced connections. This increases the likelihood that HTTP/2 connections will be shared.
New: Authentication challenges and credentials now use a charset. Use this in your authenticator to support user names and passwords with non-ASCII characters.
New: Accept a charset in
FormBody.Builder
. Previously form bodies were always UTF-8.New: Support the
immutable
cache-control directive.Fix: Don't crash when an HTTP/2 call is redirected while the connection is being shut down.
Fix: Don't drop headers of healthy streams that raced with
GOAWAY
frames. This bug would cause HTTP/2 streams to occasional hang when the connection was shutting down.Fix: Honor
OkHttpClient.retryOnConnectionFailure()
when the response is a HTTP 408 Request Timeout. If retries are enabled, OkHttp will retry exactly once in response to a 408.Fix: Don't crash when reading the empty
HEAD
response body if it specifies aContent-Length
.Fix: Don't crash if the thread is interrupted while reading the public suffix database.
Fix: Use relative resource path when loading the public suffix database. Loading the resource using a path relative to the class prevents conflicts when the OkHttp classes are relocated (shaded) by allowing multiple private copies of the database.
Fix: Accept cookies for URLs that have an IPv6 address for a host.
Fix: Don't log the protocol (HTTP/1.1, h2) in HttpLoggingInterceptor if the protocol isn't negotiated yet! Previously we'd log HTTP/1.1 by default, and this was confusing.
Fix: Omit the message from MockWebServer's HTTP/2
:status
header.Fix: Handle 'Expect: 100 Continue' properly in MockWebServer.
-
v3.8.1 Changes
2017-06-18
- Fix: Recover gracefully from stale coalesced connections. We had a bug where
connection coalescing (introduced in OkHttp 3.7.0) and stale connection
recovery could interact to cause a
NoSuchElementException
crash in theRouteSelector
.
- Fix: Recover gracefully from stale coalesced connections. We had a bug where
connection coalescing (introduced in OkHttp 3.7.0) and stale connection
recovery could interact to cause a
-
v3.8.0 Changes
2017-05-13
OkHttp now uses
@Nullable
to annotate all possibly-null values. We've added a compile-time dependency on the JSR 305 annotations. This is a [provided][maven_provided] dependency and does not need to be included in your build configuration,.jar
file, or.apk
. We use@ParametersAreNonnullByDefault
and all parameters and return types are never null unless explicitly annotated@Nullable
.Warning: this release is source-incompatible for Kotlin users. Nullability was previously ambiguous and lenient but now the compiler will enforce strict null checks.
New: The response message is now non-null. This is the "Not Found" in the status line "HTTP 404 Not Found". If you are building responses programmatically (with
new Response.Builder()
) you must now always supply a message. An empty string""
is permitted. This value was never null on responses returned by OkHttp itself, and it was an old mistake to permit application code to omit a message.The challenge's scheme and realm are now non-null. If you are calling
new Challenge(scheme, realm)
you must provide non-null values. These were never null in challenges created by OkHttp, but could have been null in application code that creates challenges.New: The
TlsVersion
of aHandshake
is now non-null. If you are callingHandshake.get()
with a null TLS version, you must instead now provide a non-nullTlsVersion
. Cache responses persisted prior to OkHttp 3.0 did not store a TLS version; for these unknown values the handshake is defaulted toTlsVersion.SSL_3_0
.New: Upgrade to Okio 1.13.0.
<dependency> <groupId>com.squareup.okio</groupId> <artifactId>okio</artifactId> <version>1.13.0</version> </dependency> com.squareup.okio:okio:1.13.0
Fix: gracefully recover when Android 7.0's sockets throw an unexpected
NullPointerException
.