4.2 Data-transport libraries
In practice, most applications rely on data-transport frameworks
to establish HTTPS connections. These frameworks use SSL libraries internally in a way that is usually opaque to applications.
Apache HttpClient. Apache HttpClient3
is a client-side HTTP(S)
Java library based on JDK. The latest version is 4.2.1, published
on June 29, 2012, but most existing software employs older, 3.*
versions. Apache HttpClient is used extensively in Web-services
middleware such as Apache Axis 2 (see Section 8) because native
JDK does not support SOAP Web services. Furthermore, Apache
HttpClient provides better performance than JDK for functionalities such as sending HTTP POST requests.
Apache HttpClient uses JSSE’s SSLSocketFactory to establish
SSL connections. As explained in Section 4.1, this means that
Apache HttpClient must perform its own hostname verification.
This leads to numerous vulnerabilities in software based on older
versions on HttpClient that do not verify hostnames (Section 7.5).