[
https://issues.apache.org/jira/browse/HTTPCLIENT-1595?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14271720#comment-14271720
]
Michael Braun commented on HTTPCLIENT-1595:
-------------------------------------------
Oleg -
So I would agree but this is a behavior change in that it is no longer taking
the JVM's default enabled protocols into account. To show this:
With Java 7, TLSv1.1 and TLSv1.2 are disabled by default. If you run with
HTTPClient 4.3.4 and Java 7 and don't set any system settings at all, SSLv3 and
TLSv1 are the protocols supported - TLSv1.1 and TLSv1.2 are never part of the
handshake. With 4.3.6, TLS1.1 and 1.2 are added back in even though they are
not enabled by default by Java 7. This is why I believe it should be using
.getEnabledProtocols rather than .getSupportedProtocols - it should respect
what is disabled.
Thanks!
> SSLConnectionSocketFactory not respecting enabled protocols
> -----------------------------------------------------------
>
> Key: HTTPCLIENT-1595
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1595
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient
> Affects Versions: 4.3.6
> Reporter: Michael Braun
> Labels: easyfix, security
>
> In createLayeredSocket -
> If supportedProtocols is null, the list of protocols (minus those that start
> with SSL) are loaded.
> However, the protocols should be from sslsock.getEnabledProtocols(); rather
> than sslsock.getSupportedProtocols() to reflect settings on the JVM.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
