Merge pull request #18062 from spray/w/15687-enable-endpoint-verification

#18059 #15687 Enable https hostname verification

akka-docs-dev/rst/scala/http/client-side/https-support.rst

@@ -36,5 +36,21 @@ Afterwards you simply use ``outgoingConnectionTls``, ``newHostConnectionPoolTls`
 ``superPool`` or ``singleRequest`` without a specific ``httpsContext`` argument, which causes encrypted connections
 to rely on the configured default client-side ``HttpsContext``.
 
+If no custom ``HttpsContext`` is defined the default context uses Java's default TLS settings. Customizing the
+``HttpsContext`` can make the Https client less secure. Understand what you are doing!
+
+Hostname verification on Java 6
+-------------------------------
+
+Hostname verification proves that the Akka HTTP client is actually communicating with the server it intended to
+communicate with. Without this check a man-in-the-middle attack is possible. In the attack scenario, an alternative
+certificate would be presented which was issued for another host name. Checking the host name in the certificate
+against the host name the connection was opened against is therefore vital.
+
+The default ``HttpsContext`` enables hostname verification. Akka HTTP relies on a Java 7 feature to implement
+the verification. To prevent an unintended security downgrade, accessing the default ``HttpsContext`` on Java 6
+will fail with an exception. Specifying a custom ``HttpsContext`` or customizing the default one is also possible
+on Java 6.
+
 
 .. _akka.http.scaladsl.Http: @github@/akka-http-core/src/main/scala/akka/http/scaladsl/Http.scala