On Tue, Feb 14, 2017 at 2:08 PM, KARR, DAVID <dk0...@att.com> wrote: >> -----Original Message----- >> From: Bhowmik, Bindul [mailto:bindulbhow...@gmail.com] >> Sent: Friday, February 10, 2017 3:12 PM >> To: HttpClient User Discussion <httpclient-users@hc.apache.org> >> Subject: Re: How to use TLSv1.2 with httpclient 4.1.2 (httpcore 4.1.3) >> >> On Fri, Feb 10, 2017 at 3:30 PM, KARR, DAVID <dk0...@att.com> wrote: >> > I've been asked to look at some old code using httpclient-4.1.2 and >> httpcore-4.1.3, which connects to internal sites using TLSv1.0. We now >> need to force it to use TLSv1.2. Several other devs have tried to get >> this to work, and they've all given up, for now. I've seen many >> StackOverflow postings, and in other places, that talk about the various >> ways to resolve this. >> > >> > Could someone give me a succinct summary of what I need to do to make >> this work? >> > >> > If part of the answer means that I'll need to upgrade to a newer >> version of httpclient, I'm ok with that, but only if it's really >> necessary. Upgrading that may result in other impacts which I'd like to >> minimize. >> >> You might want to look at this thread [1] discussing a similar query. >> However, the SSLConnectionSocketFactory [2] used that example was >> introduced in client version 4.3 from the class documentation. >> >> Another option would be to disable TLS v1.0 in the JRE itself [3]. > > Accounting for the fact that I misspoke on the httpclient version I'm using, > I can see that using the "jdk.tls.client.protocols" system property will be > the ideal solution, if we can get access to the 1.7.0_95 installer (this is > in the "Advanced Java" realm, so is not "freely available"). > > Failing that, combining the info on that page with a code sample that someone > else assembled (I don't know what their source was), my first cut at a > solution to this is at the end of this. I'm hoping that this will work for > both a TLSv1.0 server and a TLSv1.2 server, and will also work fine if/when > we upgrade our client to Java 8. Note that I've commented out the variation > that doesn't do hostname verification. I'm not sure if I'm going to need > that. > > Does this look reasonable? > > ----------------- > private HttpClientConnectionManager getHttpConnectionManager() { > if (mConnManager != null) { > return mConnManager; > } > try { > SSLContext context = > SSLContext.getInstance("TLSV1.2"); > X509TrustManager trustManager = > new X509TrustManager() { > @Override > public X509Certificate[] > getAcceptedIssuers() { return null; } > @Override > public void > checkClientTrusted(X509Certificate[] chain, String authType) throws > CertificateException { } > @Override > public void > checkServerTrusted(X509Certificate[] chain, String authType) throws > CertificateException { } > }; > context.init(null, new TrustManager[] {trustManager}, > null); > SSLConnectionSocketFactory factory = new > SSLConnectionSocketFactory(context); > //SSLConnectionSocketFactory factory = new > SSLConnectionSocketFactory(context, NoopHostnameVerifier.INSTANCE); > Registry<ConnectionSocketFactory> registry > = > > RegistryBuilder.<ConnectionSocketFactory> create().register("https", > factory).build(); > mConnManager = new > PoolingHttpClientConnectionManager(registry); > mConnManager.setMaxTotal(getMaxTotalConnections()); > > mConnManager.setDefaultMaxPerRoute(getMaxPerRouteConnection()); > } > catch (NoSuchAlgorithmException | KeyManagementException ex) { > logger.logError(ex); > } > return mConnManager; > } > -------------
I think this will work. While I don't know your specific requirements, I would not think you need to create a custom trust manager, if you look at the example at http://hc.apache.org/httpcomponents-client-4.5.x/httpclient/examples/org/apache/http/examples/client/ClientCustomSSL.java all you would need to do is something like: SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(SSLContexts.createDefault(), new String[] { "TLSv1.2" }, null, SSLConnectionSocketFactory.getDefaultHostnameVerifier()); CloseableHttpClient httpclient = HttpClients.custom().setSSLSocketFactory(sslsf).build(); - Bindul --------------------------------------------------------------------- To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
