Having Trouble Getting HttpClient Working with TLSv1.2

Fri, 22 Apr 2016 13:04:59 -0700 

We are using ApacheHttpClient to connect to an external REST service. We've 
been using version 4.3.5, but we also tried it with 4.5.2, and the results have 
been the same. The backend service changed to force the use of TLSv1.2, which 
causes our code to fail because of the protocol versiom. So we tried to make 
changes to use that, but no matter what we try, we're still getting the error. 
Here is our latest iteration of the code:  
  
    SSLContext sslContext = SSLContexts.custom().useProtocol("TLSv1.2").build();
    SSLConnectionSocketFactory sslsf = new 
SSLConnectionSocketFactory(sslContext, new String[] { "TLSv1.2" },
        new String[] { "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
        SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
    HttpClientBuilder httpClientBuilder = 
HttpClientBuilder.create().setDefaultRequestConfig(requestConfig)
        .setConnectionManager(connManager).setSSLSocketFactory(sslsf);
    handleAuthentication(uri, httpClientBuilder);
    httpClient = httpClientBuilder.build();
  
I am also setting the following JVM options:  
JVM_ARGS=-Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2 
-Djavax.net.debug=all  
  
But we are still getting the error:  
  
[4/21/16 17:27:37:123 EDT] 00000042 id=         
bm.myw3.services.awf.sso.ejb.generator.SSOTokenGeneratorImpl I Exception :: 
javax.net.ssl.SSLException: Received fatal alert: protocol_version  
[4/21/16 17:27:37:124 EDT] 00000042 id=         
com.ibm.myw3.services.awf.sso.ejb.SSOTokenManagerBean        E 
SSOTokenGeneratorException :: {0}
com.ibm.myw3.services.awf.sso.ejb.config.SSOTokenGeneratorException: Exception 
while executing http request for retrieving Token  
  

I have a trace.log, which I can upload if anyone thinks it would be useful to 
see. But here are various entries from the trace:  
  
    Default Executor-thread-25, WRITE: TLSv1.2 Handshake, length = 80
    Default Executor-thread-25, WRITE: TLSv1.2 Application Data, length = 256
    Default Executor-thread-25, READ: TLSv1.2 Application Data, length = 1552
    SEND TLSv1.2 ALERT:
    Finalizer thread, WRITE: TLSv1.2 Alert, length = 64
  

And then it goes on to try TLSv1. I'm not sure what to look for to determine 
why it's not using TLSv1.2, but nothing is jumping out at me from the trace.



---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org
For additional commands, e-mail: httpclient-users-h...@hc.apache.org

Reply via email to