[
https://issues.apache.org/jira/browse/CXF-8952?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17781549#comment-17781549
]
Sebastian Violet edited comment on CXF-8952 at 10/31/23 10:56 PM:
------------------------------------------------------------------
It would also be great if CXF could respect the following java system property
{*}https.protocols{*}. That way, we can set it like so:
{code:java}
-Dhttps.protocols=TLSv1.1,TLSv1.2,TLSv1.3 {code}
was (Author: JIRAUSER302659):
It would also be great if CXF could respect the following java system property
{*}https.protocols{*}. That way, we can set it like so:
{code:java}
-Dhttps.protocols=TLSv1.1,TLSv1.2,TLSv1.3 {code}
> HttpClientHTTPConduit in CXF doesn't support TLSv1.3 along with other
> protocols
> -------------------------------------------------------------------------------
>
> Key: CXF-8952
> URL: https://issues.apache.org/jira/browse/CXF-8952
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS
> Affects Versions: 4.0.3, 4.0.4
> Reporter: Sebastian Violet
> Assignee: Daniel Kulp
> Priority: Critical
> Fix For: 3.6.3, 4.0.4
>
> Attachments: image-2023-10-30-17-30-19-307.png
>
>
> *HttpClientHTTPConduit* does't have support for TLSv1.3 out of the box.
> [Look at line #253
> here|https://github.com/apache/cxf/blob/ee4244116cb49c007bde3ee7ee6a06a4cfb26027/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HttpClientHTTPConduit.java#L253].
> !image-2023-10-30-17-30-19-307.png|width=821,height=227!
> This means that any endpoint which solely supports *TLSv1.3* and has turned
> off other lower protocols will fail SSL Handshake.
> One can pass in a singular {*}secureSocketProtocol{*}, but that doesn't
> support passing in a list for negotiation fallback.
> I.e. We can do the following:
> {code:java}
> ClientConfiguration config = WebClient.getConfig(service);
> final TLSClientParameters tlsClientParameters =
> ObjectUtils.firstNonNull(config.getHttpConduit().getTlsClientParameters(),
> new TLSClientParameters());
> tlsClientParameters.setSecureSocketProtocol("TLSv1.3");
> {code}
> However, this will not work with endpoints that do now support {*}TLSv1.3{*};
> it works great for endpoints that only have *TLSv1.3* though.
>
> {*}Solution{*}:
> {*}Option 1{*}({color:#FF0000}Ideal; *recommended*{color}): Add *TLSv1.3* to
> the list of protocols when creating the HttpClient through the builder.
> {*}Option 2{*}: Allow *setSecureSocketProtocol* to take in an *array* of
> protocols.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
