[
https://issues.apache.org/jira/browse/HTTPCLIENT-2397?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Winfried Gerlach updated HTTPCLIENT-2397:
-----------------------------------------
Description:
Cybersecurity requirements become stricter every day - in many industries
(automotive, aerospace, medical,...) plain, unencrypted HTTP connections are
unacceptable. Yet HttpClient currently does not have a configuration option
that reliably prevents users of the library from (accidentally) creating plain
HTTP connections.
While not being a clean and fully reliable solution, all HttpClient versions up
to 5.3.1 could at least prevent executing requests with "http://"; scheme by
only registering a HTTPS ConnectionSocketFactory. When trying to access an HTTP
resource, this would then lead to an {{UnsupportedSchemeException}} ("http
protocol is not supported"):
[httpcomponents-client/httpclient5/src/main/java/org/apache/hc/client5/http/impl/io/DefaultHttpClientConnectionOperator.java
at rel/v5.3.1 ·
apache/httpcomponents-client|https://github.com/apache/httpcomponents-client/blob/rel/v5.3.1/httpclient5/src/main/java/org/apache/hc/client5/http/impl/io/DefaultHttpClientConnectionOperator.java#L133]
In HttpClient 5.4+, this check was dropped to support RFC 2817 (Upgrading to
TLS Within HTTP/1.1). Rejecting http scheme could still be achieved, e.g. by
using a custom {{{}SchemePortResolver{}}}, but this is unnecessarily
complicated. And strictly speaking, such a solution is not enough anyway,
because a server could serve plain HTTP connections that are accessible via
"https" scheme.
I suggest to add a "TLS only" setting (in {{{}HttpClientBuilder{}}}?) that
reliably enforces TLS on every HTTP connection created by HttpClient.
was:
In all HttpClient versions up and until 5.3.1, it was possible to prevent the
use of plaintext HTTP by only registering a HTTPS ConnectionSocketFactory. When
trying to access an HTTP resource, this would then lead to an
\{{UnsupportedSchemeException}} ("http protocol is not supported"):
[httpcomponents-client/httpclient5/src/main/java/org/apache/hc/client5/http/impl/io/DefaultHttpClientConnectionOperator.java
at rel/v5.3.1 ·
apache/httpcomponents-client|https://github.com/apache/httpcomponents-client/blob/rel/v5.3.1/httpclient5/src/main/java/org/apache/hc/client5/http/impl/io/DefaultHttpClientConnectionOperator.java#L133]
For HttpClient 5.4+, this check was dropped. Such behavior could still be
achieved, e.g. by using a custom SchemePortResolver, but this is a)
unnecessarily complicated and b) doesn't help users migrating from an older
version that may not even notice that HTTP connections are now suddenly
possible again. That's why I would classify this as a bug.
Issue Type: New Feature (was: Bug)
Summary: Feature Request: TLS-only connections (was: Prevent use of
plain HTTP in HttpClient 5.4+)
> Feature Request: TLS-only connections
> -------------------------------------
>
> Key: HTTPCLIENT-2397
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2397
> Project: HttpComponents HttpClient
> Issue Type: New Feature
> Reporter: Winfried Gerlach
> Priority: Major
>
> Cybersecurity requirements become stricter every day - in many industries
> (automotive, aerospace, medical,...) plain, unencrypted HTTP connections are
> unacceptable. Yet HttpClient currently does not have a configuration option
> that reliably prevents users of the library from (accidentally) creating
> plain HTTP connections.
> While not being a clean and fully reliable solution, all HttpClient versions
> up to 5.3.1 could at least prevent executing requests with "http://"; scheme
> by only registering a HTTPS ConnectionSocketFactory. When trying to access an
> HTTP resource, this would then lead to an {{UnsupportedSchemeException}}
> ("http protocol is not supported"):
> [httpcomponents-client/httpclient5/src/main/java/org/apache/hc/client5/http/impl/io/DefaultHttpClientConnectionOperator.java
> at rel/v5.3.1 ·
> apache/httpcomponents-client|https://github.com/apache/httpcomponents-client/blob/rel/v5.3.1/httpclient5/src/main/java/org/apache/hc/client5/http/impl/io/DefaultHttpClientConnectionOperator.java#L133]
> In HttpClient 5.4+, this check was dropped to support RFC 2817 (Upgrading to
> TLS Within HTTP/1.1). Rejecting http scheme could still be achieved, e.g. by
> using a custom {{{}SchemePortResolver{}}}, but this is unnecessarily
> complicated. And strictly speaking, such a solution is not enough anyway,
> because a server could serve plain HTTP connections that are accessible via
> "https" scheme.
> I suggest to add a "TLS only" setting (in {{{}HttpClientBuilder{}}}?) that
> reliably enforces TLS on every HTTP connection created by HttpClient.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
