pekko/akka-docs-dev/rst/scala/http/client-side/https-support.rst

.. _clientSideHTTPS:

Client-Side HTTPS Support
=========================

Akka HTTP supports TLS encryption on the client-side as well as on the :ref:`server-side <serverSideHTTPS>`.

The central vehicle for configuring encryption is the ``HttpsContext``, which is defined as such:

.. includecode2:: /../../akka-http-core/src/main/scala/akka/http/scaladsl/Http.scala
   :snippet: https-context-impl

In addition to the ``outgoingConnection``, ``newHostConnectionPool`` and ``cachedHostConnectionPool`` methods the
`akka.http.scaladsl.Http`_ extension also defines ``outgoingConnectionTls``, ``newHostConnectionPoolTls`` and
``cachedHostConnectionPoolTls``. These methods work identically to their counterparts without the ``-Tls`` suffix,
with the exception that all connections will always be encrypted.

The ``singleRequest`` and ``superPool`` methods determine the encryption state via the scheme of the incoming request,
i.e. requests to an "https" URI will be encrypted, while requests to an "http" URI won't.

The encryption configuration for all HTTPS connections, i.e. the ``HttpsContext`` is determined according to the
following logic:

1. If the optional ``httpsContext`` method parameter is defined it contains the configuration to be used (and thus
   takes precedence over any potentially set default client-side ``HttpsContext``).

2. If the optional ``httpsContext`` method parameter is undefined (which is the default) the default client-side
   ``HttpsContext`` is used, which can be set via the ``setDefaultClientHttpsContext`` on the ``Http`` extension.

3. If no default client-side ``HttpsContext`` has been set via the ``setDefaultClientHttpsContext`` on the ``Http``
   extension the default system configuration is used.

Usually the process is, if the default system TLS configuration is not good enough for your application's needs,
that you configure a custom ``HttpsContext`` instance and set it via ``Http().setDefaultClientHttpsContext``.
Afterwards you simply use ``outgoingConnectionTls``, ``newHostConnectionPoolTls``, ``cachedHostConnectionPoolTls``,
``superPool`` or ``singleRequest`` without a specific ``httpsContext`` argument, which causes encrypted connections
to rely on the configured default client-side ``HttpsContext``.

If no custom ``HttpsContext`` is defined the default context uses Java's default TLS settings. Customizing the
``HttpsContext`` can make the Https client less secure. Understand what you are doing!

Hostname verification on Java 6
-------------------------------

Hostname verification proves that the Akka HTTP client is actually communicating with the server it intended to
communicate with. Without this check a man-in-the-middle attack is possible. In the attack scenario, an alternative
certificate would be presented which was issued for another host name. Checking the host name in the certificate
against the host name the connection was opened against is therefore vital.

The default ``HttpsContext`` enables hostname verification. Akka HTTP relies on a Java 7 feature to implement
the verification. To prevent an unintended security downgrade, accessing the default ``HttpsContext`` on Java 6
will fail with an exception. Specifying a custom ``HttpsContext`` or customizing the default one is also possible
on Java 6.


.. _akka.http.scaladsl.Http: @github@/akka-http-core/src/main/scala/akka/http/scaladsl/Http.scala
=doc add client- and server-side HTTPS section for scala 2015-06-19 16:39:12 +02:00			`.. _clientSideHTTPS:`

=doc Significantly extend HTTP documentation with new content and ports from spray docs 2015-05-11 23:05:18 +02:00			`Client-Side HTTPS Support`
			`=========================`

=doc add client- and server-side HTTPS section for scala 2015-06-19 16:39:12 +02:00			Akka HTTP supports TLS encryption on the client-side as well as on the :ref:`server-side <serverSideHTTPS>`.

			The central vehicle for configuring encryption is the ``HttpsContext``, which is defined as such:

			`.. includecode2:: /../../akka-http-core/src/main/scala/akka/http/scaladsl/Http.scala`
			`:snippet: https-context-impl`

			In addition to the ``outgoingConnection``, ``newHostConnectionPool`` and ``cachedHostConnectionPool`` methods the
			`akka.http.scaladsl.Http`_ extension also defines ``outgoingConnectionTls``, ``newHostConnectionPoolTls`` and
			``cachedHostConnectionPoolTls``. These methods work identically to their counterparts without the ``-Tls`` suffix,
			`with the exception that all connections will always be encrypted.`

			The ``singleRequest`` and ``superPool`` methods determine the encryption state via the scheme of the incoming request,
			`i.e. requests to an "https" URI will be encrypted, while requests to an "http" URI won't.`

			The encryption configuration for all HTTPS connections, i.e. the ``HttpsContext`` is determined according to the
			`following logic:`

+doc #18012 port client-side https documentation to the java-side 2015-07-20 11:14:25 +02:00			1. If the optional ``httpsContext`` method parameter is defined it contains the configuration to be used (and thus
=doc add client- and server-side HTTPS section for scala 2015-06-19 16:39:12 +02:00			takes precedence over any potentially set default client-side ``HttpsContext``).

+doc #18012 port client-side https documentation to the java-side 2015-07-20 11:14:25 +02:00			2. If the optional ``httpsContext`` method parameter is undefined (which is the default) the default client-side
=doc add client- and server-side HTTPS section for scala 2015-06-19 16:39:12 +02:00			``HttpsContext`` is used, which can be set via the ``setDefaultClientHttpsContext`` on the ``Http`` extension.

			3. If no default client-side ``HttpsContext`` has been set via the ``setDefaultClientHttpsContext`` on the ``Http``
			`extension the default system configuration is used.`

			`Usually the process is, if the default system TLS configuration is not good enough for your application's needs,`
			that you configure a custom ``HttpsContext`` instance and set it via ``Http().setDefaultClientHttpsContext``.
			Afterwards you simply use ``outgoingConnectionTls``, ``newHostConnectionPoolTls``, ``cachedHostConnectionPoolTls``,
+doc #18012 port client-side https documentation to the java-side 2015-07-20 11:14:25 +02:00			``superPool`` or ``singleRequest`` without a specific ``httpsContext`` argument, which causes encrypted connections
=doc add client- and server-side HTTPS section for scala 2015-06-19 16:39:12 +02:00			to rely on the configured default client-side ``HttpsContext``.

!htc #15687 enable https hostname verification on Java 7+ 2015-07-23 15:11:32 +02:00			If no custom ``HttpsContext`` is defined the default context uses Java's default TLS settings. Customizing the
			``HttpsContext`` can make the Https client less secure. Understand what you are doing!

			`Hostname verification on Java 6`
			`-------------------------------`

			`Hostname verification proves that the Akka HTTP client is actually communicating with the server it intended to`
			`communicate with. Without this check a man-in-the-middle attack is possible. In the attack scenario, an alternative`
			`certificate would be presented which was issued for another host name. Checking the host name in the certificate`
			`against the host name the connection was opened against is therefore vital.`

			The default ``HttpsContext`` enables hostname verification. Akka HTTP relies on a Java 7 feature to implement
			the verification. To prevent an unintended security downgrade, accessing the default ``HttpsContext`` on Java 6
			will fail with an exception. Specifying a custom ``HttpsContext`` or customizing the default one is also possible
			`on Java 6.`

=doc add client- and server-side HTTPS section for scala 2015-06-19 16:39:12 +02:00
			`.. _akka.http.scaladsl.Http: @github@/akka-http-core/src/main/scala/akka/http/scaladsl/Http.scala`