[jira] [Commented] (HTTPCLIENT-1600) Enable supported TLS protocols

Thu, 22 Jan 2015 15:49:28 -0800 

    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-1600?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14288471#comment-14288471
 ] 

David commented on HTTPCLIENT-1600:
-----------------------------------

Ha! apparently not. Why disable TLSv1.1 and TLSv1.2 in java 7, do we have good 
reasons ?
Oracle's rational for not enabling TLSv1.1 and TLSv1.2 in java 7 seems to be 
{quote}
Although SunJSSE in the Java SE 7 release supports TLS 1.1 and TLS 1.2, neither 
version is enabled by default for client connections. Some servers do not 
implement forward compatibility correctly and refuse to talk to TLS 1.1 or TLS 
1.2 clients. For interoperability, SunJSSE does not enable TLS 1.1 or TLS 1.2 
by default for client connections.

Server connections have no such interoperability problem. TLS 1.1 and TLS 1.2 
are enabled by default for server connections.
{quote} source - 
https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
 

However, there are not many servers that have issues communicating with TLSv1.1 
or TLSv1.2 clients, which is why java 8 enables TLSv1.1 and TLSv1.2. Also, at 
the same time java >= 7 not using TLSv1.1 or higher in handshaking like I have 
said violates the TLS specification (unless you use the 
com.sun.net.ssl.rsaPreMasterSecretFix system property) which results in 
servers(tested against openssl) rejecting java connections when the negotiated 
protocol version differs from the original version sent in the client hello.
 

> Enable supported TLS protocols
> ------------------------------
>
>                 Key: HTTPCLIENT-1600
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1600
>             Project: HttpComponents HttpClient
>          Issue Type: Improvement
>          Components: HttpClient
>    Affects Versions: 4.4 Final
>            Reporter: David
>
> https://github.com/apache/httpclient/commit/a3a8def3ab99174468930b99dc897dd488968c41
>  reverts a change that enabled TLSv1.1 and TLSv1.2 in java 7. If the 
> 'https.protocols' property has not been set then httpclient should enable all 
> supported TLS protocols. The result of this change will be that TLSv1.1 and 
> TLSv1.2 will be used in java 7.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to