Mohammed Aijaz Yousuf created HTTPCLIENT-1692:
-------------------------------------------------
Summary: Apache HttpClient overrides the protocols supplied by JVM
and instead defaults it to TLSv1.0
Key: HTTPCLIENT-1692
URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1692
Project: HttpComponents HttpClient
Issue Type: Bug
Components: HttpClient
Affects Versions: 4.5
Environment: Windows and Linux
Reporter: Mohammed Aijaz Yousuf
Issue : We have a SDK provided by our Payment gateway and we use this SDK to
invoke the Payment webservices. This SDK uses Apache HttpCLient /Post methods
to make webservice calls and Payment gateway requires the communication to go
through TLS1.2 handshake. We invoke these payment services using 2 ways :
1. Using IBM Websphere Application server.
2. Using IBM Agent Server (Batch job which runs on a JVM process and uses Queue
to process and listen to messages)
a. For IBM websphere, we were able to make the TLS1.2 protocol work by changing
the "Quality Of Protection" SSL settings but we cannot make it work on IBM
Agent server.
b. We tried passing the protocols explicitly by giving
"https.protocols=TLSv1.2" as system arguments when starting the server but it
seems the Apache HttpsClient is overriding the protocol and setting it to JVM
default protocol which is TLSv1.0. Due to this default protocol, all our
communications with Payment gateway are failing. We are using
apache-httpcomponents-httpclient.jar.
c. We tried using the httpClient4.5.x but even then the same behavior is
seen.Another issue we faced when we use higher versions of httpclient was
whenever we try deploying the Httpclient 4.5.x.jar on websphere, Websphere is
throwing Class conflict error as IBM websphere has a
com.ibm.ws.prereq.jaxrs.jar plugin which internally supports only apache 4.1.x.
We tried changing the websphere class loader policy to read the Parent class
last but it starts effecting other functionalities.
d. We would basically need to know how we can enforce the httpclient to accept
the JVM protocols set in system property "https.protocols=TLSv1.2" instead of
overriding the protocol to TLSv1.0.
e. We are using IBM JDK 1.6 SR5 and IBM Websphere 8.5.5
Secondly we are not using JSSE socketfactory but are using Websphere SSL socket
factory with com.ibm.ws.security.crypto.jar:
# WebSphere socket factories (in cryptosf.jar)
ssl.SocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLSocketFactory
ssl.ServerSocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLServerSocketFactory
f. Its an Open source SDK provided by Vantiv and it can be used by anyone at
https://github.com/LitleCo/litle-sdk-for-java
Below is the URL:
https://www.testlitle.com/sandbox/communicator/online
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
