Yes, we're now running our Black Friday Sale. All Access and Pro are 33% off until 2nd December, 2025:
Modern software architecture is often broken. Slow delivery leads to missed opportunities, innovation is stalled due to architectural complexities, and engineering resources are exceedingly expensive.
Orkes is the leading workflow orchestration platform built to enable teams to transform the way they develop, connect, and deploy applications, microservices, AI agents, and more.
With Orkes Conductor managed through Orkes Cloud, developers can focus on building mission critical applications without worrying about infrastructure maintenance to meet goals and, simply put, taking new products live faster and reducing total cost of ownership.
Try a 14-Day Free Trial of Orkes Conductor today.
Modern software architecture is often broken. Slow delivery leads to missed opportunities, innovation is stalled due to architectural complexities, and engineering resources are exceedingly expensive.
Orkes is the leading workflow orchestration platform built to enable teams to transform the way they develop, connect, and deploy applications, microservices, AI agents, and more.
With Orkes Conductor managed through Orkes Cloud, developers can focus on building mission critical applications without worrying about infrastructure maintenance to meet goals and, simply put, taking new products live faster and reducing total cost of ownership.
Try a 14-Day Free Trial of Orkes Conductor today.
Mocking is an essential part of unit testing, and the Mockito library makes it easy to write clean and intuitive unit tests for your Java code.
Get started with mocking and improve your application tests using our Mockito guide:
Spring 5 added support for reactive programming with the Spring WebFlux module, which has been improved upon ever since. Get started with the Reactor project basics and reactive programming in Spring Boot:
Since its introduction in Java 8, the Stream API has become a staple of Java development. The basic operations like iterating, filtering, mapping sequences of elements are deceptively simple to use.
But these can also be overused and fall into some common pitfalls.
To get a better understanding on how Streams work and how to combine them with other language features, check out our guide to Java Streams:
Explore Spring Boot 3 and Spring 6 in-depth through building a full REST API with the framework:
Yes, Spring Security can be complex, from the more advanced functionality within the Core to the deep OAuth support in the framework.
I built the security material as two full courses - Core and OAuth, to get practical with these more complex scenarios. We explore when and how to use each feature and code through it on the backing project.
You can explore the course here:
Modern software architecture is often broken. Slow delivery leads to missed opportunities, innovation is stalled due to architectural complexities, and engineering resources are exceedingly expensive.
Orkes is the leading workflow orchestration platform built to enable teams to transform the way they develop, connect, and deploy applications, microservices, AI agents, and more.
With Orkes Conductor managed through Orkes Cloud, developers can focus on building mission critical applications without worrying about infrastructure maintenance to meet goals and, simply put, taking new products live faster and reducing total cost of ownership.
Try a 14-Day Free Trial of Orkes Conductor today.
Spring Data JPA is a great way to handle the complexity of JPA with the powerful simplicity of Spring Boot.
Get started with Spring Data JPA through the guided reference course:
Refactor Java code safely — and automatically — with OpenRewrite.
Refactoring big codebases by hand is slow, risky, and easy to put off. That’s where OpenRewrite comes in. The open-source framework for large-scale, automated code transformations helps teams modernize safely and consistently.
Each month, the creators and maintainers of OpenRewrite at Moderne run live, hands-on training sessions — one for newcomers and one for experienced users. You’ll see how recipes work, how to apply them across projects, and how to modernize code with confidence.
Join the next session, bring your questions, and learn how to automate the kind of work that usually eats your sprint time.
Yes, we're now running our Black Friday Sale. All Access and Pro are 33% off until 2nd December, 2025:
1. Overview
In this tutorial, we’ll explore using Java HttpClient to connect to HTTPS URLs. We’ll also learn how to use the client with URLs that don’t have a valid SSL certificate.
In older versions of Java, we preferred to use libraries like Apache HTTPClient and OkHttp to connect to a server. In Java 11, an improved HttpClient library was added to the JDK.
Let’s explore how to use it to call a service over SSL.
2. Calling an HTTPS URL Using the Java HttpClient
We’ll use test cases to run the client code. For testing purposes, we’ll use an existing URL that runs on HTTPS.
Let’s write code to set up the client and call the service:
HttpClient httpClient = HttpClient.newHttpClient();
HttpRequest request = HttpRequest.newBuilder()
.uri(URI.create("https://www.google.com/"))
.build();
HttpResponse<String> response = httpClient.send(request, HttpResponse.BodyHandlers.ofString());
Here, we first created a client using the HttpClient.newHttpClient() method. Then, we created a request and set the URL of the service we’re going to hit. Finally, we sent the request using the HttpClient.send() method and collected the response – a HttpResponse object containing the response body as a String.
When we put the above code in a test case and perform the below assertion, we’ll observe that it passes:
assertEquals(200, response.statusCode());3. Calling an Invalid HTTPS URL
Now, let’s change the URL to another one that doesn’t have a valid SSL certificate. We can do so by changing the request object:
HttpRequest request = HttpRequest.newBuilder()
.uri(new URI("https://wrong.host.badssl.com/"))
.build();When we run the test again, we get the below error:
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching wrong.host.badssl.com found.
at java.base/sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:212)
at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:103)
This is because the URL doesn’t have a valid SSL certificate.
4. Bypassing SSL Certificate Verification
4.1. Using Mock Trust Manager
In order to skip the validation done automatically by the HttpClient we can extend the default X509ExtendedTrustManager object, which is the class that is in charge of checking the validity of the SSL certificate, overriding the default business logic with empty methods:
private static final TrustManager MOCK_TRUST_MANAGER = new X509ExtendedTrustManager() {
@Override
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return new java.security.cert.X509Certificate[0];
}
@Override
public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {
// empty method
}
// ... Other void methods
}We also need to provide the new TrustManager implementation to our HttpClient instance. To do this, we firstly create a new SSLContext instance of the HTTPClient, then we init the object passing null as the KeyManager list, the just created TrustManager in an array, and a new instance of SecureRandom class (a random number generator):
SSLContext sslContext = SSLContext.getInstance("SSL"); // OR TLS
sslContext.init(null, new TrustManager[]{DUMMY_TRUST_MANAGER}, new SecureRandom());Let’s now use this actualized SSLContext to build our now well-behaving HttpClient:
HttpClient httpClient = HttpClient.newBuilder().sslContext(sslContext).build();Now we can call any URL that does not have a valid certificate to get anyway a successful response:
HttpRequest request = HttpRequest.newBuilder()
.uri(new URI("https://wrong.host.badssl.com/"))
.build();
HttpResponse<String> response = httpClient.send(request, HttpResponse.BodyHandlers.ofString());
Assertions.assertEquals(200, response.statusCode())In the next paragraph, we will see another way we can achieve the same result with a JVM flag that will disable the Certificate verification for every HttpClient request.
4.2. Using JVM Disable Hostname Verifier Flag
As the last option to resolve the error we got above, let’s look at a solution to bypass SSL certificate verification.
In Apache HttpClient, we could modify the client to bypass certificate verification. However, we can’t do that with the Java HttpClient. We’ll have to rely on making changes to the JVM to disable hostname verification.
One way to do this is to import the website’s certificate into the Java KeyStore. This is a common practice and is a good option if there are a small number of internal, trusted websites.
However, this can become tiresome if there are a large number of websites or too many environments to manage. In this case, we can use the property jdk.internal.httpclient.disableHostnameVerification to disable hostname verification.
We can set this property when running the application as a command-line argument:
java -Djdk.internal.httpclient.disableHostnameVerification=true -jar target/java-httpclient-ssl-0.0.1-SNAPSHOT.jar
Alternatively, we can programmatically set this property before creating our client:
Properties props = System.getProperties();
props.setProperty("jdk.internal.httpclient.disableHostnameVerification", Boolean.TRUE.toString());
HttpClient httpClient = HttpClient.newHttpClient();
When we run the test now, we’ll see that it passes.
We should note that changing the property would mean that certificate verification is disabled for all requests. This may not be desirable, especially in production. However, it’s common to introduce this property in non-production environments.
5. Can We Use Java HttpClient With Spring?
Spring provides two popular interfaces to make HTTP requests:
- RestTemplate for synchronous requests
- WebClient for synchronous and asynchronous requests
Both can be used along with popular HTTP clients such as Apache HttpClient, OkHttp, and the old HttpURLConnection. However, we can’t plug Java HttpClient into these two interfaces. It’s rather seen as an alternative to them.
We can use Java HttpClient to make synchronous and asynchronous requests, convert requests and responses, add timeouts, etc. Therefore, it can be utilized directly without needing Spring’s interfaces.
6. Conclusion
In this article, we explored how to use the Java HTTP Client to connect to a server that requires SSL. We also looked at ways to use the client with URLs that don’t have a valid certificate.
The code backing this article is available on GitHub. Once you're logged in as a Baeldung Pro Member, start learning and coding on the project.
