HTTP/2 support. We‘ve done interop testing and haven’t seen any problems. HTTP/2 support has been a big effort and we're particularly thankful to Adrian Cole who has helped us to reach this milestone.
RC4 cipher suites are no longer supported by default. To connect to old, obsolete servers relying on these cipher suites, you must create a custom
Beta WebSockets support.. The
okhttp-ws subproject offers a new websockets client. Please try it out! When it's ready we intend to include it with the core OkHttp library.
Okio updated to 1.3.0.
<dependency> <groupId>com.squareup.okio</groupId> <artifactId>okio</artifactId> <version>1.3.0</version> </dependency>
Fix: improve parallelism of async requests. OkHttp‘s Dispatcher had a misconfigured
ExecutorService that limited the number of worker threads. If you’re using
Call.enqueue() this update should significantly improve request concurrency.
Fix: Lazily initialize the response cache. This avoids strict mode warnings when initializing OkHttp on Android‘s main thread.
Fix: Disable ALPN on Android 4.4. That release of the feature was unstable and prone to native crashes in the underlying OpenSSL code.
Fix: Don't send both
If-Modified-Since cache headers when both are applicable.
Fix: Fail early when a port is out of range.
Content-Length headers for multipart request bodies.
UnknownServiceException if a cleartext connection is attempted when explicitly forbidden.
Fix: Throw a
SSLPeerUnverifiedException when host verification fails.
Fix: MockWebServer explicitly closes sockets. (On some Android releases, closing the input stream and output stream of a socket is not sufficient.
Fix: Buffer outgoing HTTP/2 frames to limit how many outgoing frames are created.
Fix: Avoid crashing when cache writing fails due to a full disk.
Fix: Improve caching of private responses.
Fix: Update cache-by-default response codes.
Request.Builder instances no longer hold stale URL fields.
New: ConnectionSpec can now be configured to use the SSL socket's default cipher suites. To use, set the cipher suites to
DELETE with a request body.
Headers.of(Map) creates headers from a Map.
RequestBody.contentLength() now throws
IOException. This is a source-incompatible change. If you have code that calls
RequestBody.contentLength(), your compile will break with this update. The change is binary-compatible, however: code compiled for OkHttp 2.0 and 2.1 will continue work with this update.
COMPATIBLE_TLS no longer supports SSLv3. In response to the POODLE vulnerability, OkHttp no longer offers SSLv3 when negotiation an HTTPS connection. If you continue to need to connect to webservers running SSLv3, you must manually configure your own
OkHttp now offers interceptors. Interceptors are a powerful mechanism that can monitor, rewrite, and retry calls. The project wiki has a full introduction to this new API.
New: APIs to iterate and selectively clear the response cache.
New: Support for SOCKS proxies.
New: Support for
New: Update HTTP/2 support to to
New: APIs to prevent retrying non-idempotent requests.
Fix: Drop NPN support. Going forward we support ALPN only.
Fix: The hostname verifier is now strict. This is consistent with the hostname verifier in modern browsers.
CONNECT handling for misbehaving HTTP proxies.
Fix: Don't retry requests that failed due to timeouts.
Fix: Cache 302s and 308s that include appropriate response headers.
Fix: Improve pooling of connections that use proxy selectors.
Fix: Don't leak connections when using ALPN on the desktop.
Fix: Update Jetty ALPN to
7.1.2.v20141202 (Java 7) and
8.1.2.v20141202 (Java 8). This fixes a bug in resumed TLS sessions where the wrong protocol could be selected.
Fix: Don't crash in SPDY and HTTP/2 when disconnecting before connecting.
Fix: Avoid a reverse DNS-lookup for a numeric proxy address
Fix: Resurrect http/2 frame logging.
Fix: Limit to 20 authorization attempts.
OkHttp now caches private responses. We‘ve changed from a shared cache to a private cache, and will now store responses that use an
Authorization header. This means OkHttp’s cache shouldn't be used on middleboxes that sit between user agents and the origin server.
TLS configuration updated. OkHttp now explicitly enables TLSv1.2, TLSv1.1 and TLSv1.0 where they are supported. It will continue to perform only one fallback, to SSLv3. Applications can now configure this with the
To disable TLS fallback:
client.setConnectionSpecs(Arrays.asList( ConnectionSpec.MODERN_TLS, ConnectionSpec.CLEARTEXT));
To disable cleartext connections, permitting
https URLs only:
client.setConnectionSpecs(Arrays.asList( ConnectionSpec.MODERN_TLS, ConnectionSpec.COMPATIBLE_TLS));
New cipher suites. Please confirm that your webservers are reachable with this limited set of cipher suites.
Android Name Version TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 5.0 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 5.0 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 5.0 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 4.0 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 4.0 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 4.0 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 4.0 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 4.0 TLS_ECDHE_RSA_WITH_RC4_128_SHA 4.0 TLS_DHE_RSA_WITH_AES_128_CBC_SHA 2.3 TLS_DHE_DSS_WITH_AES_128_CBC_SHA 2.3 TLS_DHE_RSA_WITH_AES_256_CBC_SHA 2.3 TLS_RSA_WITH_AES_128_GCM_SHA256 5.0 TLS_RSA_WITH_AES_128_CBC_SHA 2.3 TLS_RSA_WITH_AES_256_CBC_SHA 2.3 SSL_RSA_WITH_3DES_EDE_CBC_SHA 2.3 (Deprecated in 5.0) SSL_RSA_WITH_RC4_128_SHA 2.3 SSL_RSA_WITH_RC4_128_MD5 2.3 (Deprecated in 5.0)
Okio updated to 1.0.1.
<dependency> <groupId>com.squareup.okio</groupId> <artifactId>okio</artifactId> <version>1.0.1</version> </dependency>
New APIs to permit easy certificate pinning. Be warned, certificate pinning is dangerous and could prevent your application from trusting your server!
Cache improvements. This release fixes some severe cache problems including a bug where the cache could be corrupted upon certain access patterns. We also fixed a bug where the cache was being cleared due to a corrupted journal. We‘ve added APIs to configure a request’s
Cache-Control headers, and to manually clear the cache.
Request cancellation fixes. This update fixes a bug where synchronous requests couldn‘t be canceled by tag. This update avoids crashing when
onResponse() throws an
IOException. That failure will now be logged instead of notifying the thread’s uncaught exception handler. We've added a new API,
Call.isCanceled() to check if a call has been canceled.
MultipartBuilder to support content length.
New: Make it possible to mock
New: Update to h2-14 and hpack-9.
New: OkHttp includes a user-agent by default, like
Fix: Handle response code
308 Permanent Redirect.
Fix: Don't skip the callback if a call is canceled.
Fix: Permit hostnames with underscores.
Fix: Permit overriding the content-type in
Fix: Use the socket factory for direct connections.
OkUrlFactory APIs that disable redirects.
Fix: Don't crash on concurrent modification of
SPDY SPDY settings.
This release commits to a stable 2.0 API. Read the 2.0.0-RC1 changes for advice on upgrading from 1.x to 2.x.
Callback.onFailure(). This is a source-incompatible change, and is different from OkHttp 2.0.0-RC2 which used
This update fixes problems in 2.0.0-RC1. Read the 2.0.0-RC1 changes for advice on upgrading from 1.x to 2.x.
Fix: Don't leak connections! There was a regression in 2.0.0-RC1 where connections were neither closed nor pooled.
Fix: Revert builder-style return types from OkHttpClient's timeout methods for binary compatibility with OkHttp 1.x.
Fix: Don‘t skip client stream 1 on SPDY/3.1. This fixes SPDY connectivity to
https://google.com, which doesn’t follow the SPDY/3.1 spec!
Fix: Always configure NPN headers. This fixes connectivity to
https://facebook.com when SPDY and HTTP/2 are both disabled. Otherwise an unexpected NPN response is received and OkHttp crashes.
Fix: Write continuation frames when HPACK data is larger than 16383 bytes.
Fix: Don't drop uncaught exceptions thrown in async calls.
Fix: Throw an exception eagerly when a request body is not legal. Previously we ignored the problem at request-building time, only to crash later with a
Fix: Include a backwards-compatible
OkHttp-Response-Source header with
Fix: Don't include a default User-Agent header in requests made with the Call API. Requests made with OkUrlFactory will continue to have a default user agent.
New: Guava-like API to create headers:
Headers headers = Headers.of(name1, value1, name2, value2, ...).
New: Make the content-type header optional for request bodies.
Response.isSuccessful() is a convenient API to check response codes.
New: The response body can now be read outside of the callback. Response bodies must always be closed, otherwise they will leak connections!
New: APIs to create multipart request bodies (
MultipartBuilder) and form encoding bodies (
OkHttp 2 is designed around a new API that is true to HTTP, with classes for requests, responses, headers, and calls. It uses modern Java patterns like immutability and chained builders. The API now offers asynchronous callbacks in addition to synchronous blocking calls.
New Request and Response types, each with their own builder. There's also a
RequestBody class to write the request body to the network and a
ResponseBody to read the response body from the network. The standalone
Headers class offers full access to the HTTP headers.
Okio dependency added. OkHttp now depends on Okio, an I/O library that makes it easier to access, store and process data. Using this library internally makes OkHttp faster while consuming less memory. You can write a
RequestBody as an Okio
BufferedSink and a
ResponseBody as an Okio
OutputStream access is also available.
New Call and Callback types execute requests and receive their responses. Both types of calls can be canceled via the
Call or the
URLConnection support has moved to the okhttp-urlconnection module. If you're upgrading from 1.x, this change will impact you. You will need to add the
okhttp-urlconnection module to your project and use the
OkUrlFactory to create new instances of
// OkHttp 1.x: HttpURLConnection connection = client.open(url); // OkHttp 2.x: HttpURLConnection connection = new OkUrlFactory(client).open(url);
Custom caches are no longer supported. In OkHttp 1.x it was possible to define your own response cache with the
java.net.ResponseCache and OkHttp's
OkResponseCache interfaces. Both of these APIs have been dropped. In OkHttp 2 the built-in disk cache is the only supported response cache.
HttpResponseCache has been renamed to Cache. Install it with
OkHttpClient.setCache(...) instead of
OkAuthenticator has been replaced with Authenticator. This new authenticator has access to the full incoming response and can respond with whichever followup request is appropriate. The
Challenge class is now a top-level class and
Credential is replaced with a utility class called
OkHttpClient.getFollowProtocolRedirects() renamed to getFollowSslRedirects(). We reserve the word protocol for the HTTP version being used (HTTP/1.1, HTTP/2). The old name of this method was misleading; it was always used to configure redirects between
RouteDatabase is no longer public API. OkHttp continues to track which routes have failed but this is no exposed in the API.
ResponseSource is gone. This enum exposed whether a response came from the cache, network, or both. OkHttp 2 offers more detail with raw access to the cache and network responses in the new
TunnelRequest is gone. It specified how to connect to an HTTP proxy. OkHttp 2 uses the new
Request class for this.
Dispatcher is a new class to manages the queue of asynchronous calls. It implements limits on total in-flight calls and in-flight calls per host.
Protocol. Expose HTTP/1.0 as a potential protocol.
Protocolto describe framing.
@Deprecatedannotations for APIs dropped in 2.0.
Thread.interrupt(). OkHttp now checks for an interruption before doing a blocking call. If it is interrupted, it throws an
HttpResponseCachecaused an IOException.
Applications that want to use the global SSL context with OkHttp should configure their OkHttpClient instances with the following:
A simpler solution is to avoid the shared default SSL socket factory. Instead, if you need to customize SSL, do so for your specific OkHttpClient instance only.
Previously OkHttp added a synthetic response header,
OkHttp-Selected-Transport. It has been replaced with a new synthetic header,
spdy/3.1. Dropped support for
ICY 200 OK.
Content-Lengthheader when redirected from POST to GET.
nullis never returned from a connection's
Content-Encodingheader to cache for GZip responses.
;as separator for
New APIs on OkHttpClient to set default timeouts for connect and read.
Fix bug when caching SPDY responses.
Fix a bug with SPDY plus half-closed streams. (thanks kwuollett)
Fix a bug in
Content-Length reporting for gzipped streams in the Apache HTTP client adapter. (thanks kwuollett)
Work around the Alcatel
getByInetAddress bug (thanks k.kocel)
Be more aggressive about testing pooled sockets before reuse. (thanks warpspin)
Content-Encoding in the Apache HTTP client adapter. (thanks kwuollett)
Add a media type class to OkHttp.
Change custom header prefix:
X-Android-Sent-Millis is now OkHttp-Sent-Millis X-Android-Received-Millis is now OkHttp-Received-Millis X-Android-Response-Source is now OkHttp-Response-Source X-Android-Selected-Transport is now OkHttp-Selected-Transport
Improve cache invalidation for POST-like requests.
Bring MockWebServer into OkHttp and teach it SPDY.
X-Android-Transportsto write the preferred transports and
X-Android-Selected-Transportto read the negotiated transport.
NetworkInterfacewhen querying MTU.