[jira] [Updated] (HTTPCLIENT-1967) HttpClient does not appears to support TLSv1.3 well

FUMIN (JIRA) Fri, 25 Jan 2019 12:59:07 -0800


     [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-1967?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


FUMIN updated HTTPCLIENT-1967:
------------------------------
    Description: 
# Set up a clean Apache Tomcat server, in my case I downloaded 8.5.37.
 # Setup and change the server.xml to setup HTTPS/TLS 1.3 connector, I have 
this section:

    <Connector port="8443" protocol="HTTP/1.1" scheme="https" secure="true"
                maxThreads="150" SSLEnabled="true" >
         <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
         <SSLHostConfig ciphers="TLS_AES_256_GCM_SHA384" protocols="TLSv1.3" 
sslProtocol="TLS">
             <Certificate certificateKeystoreFile="conf/.keystore" 
certificateKeystoreType="jks"/>
         </SSLHostConfig>
     </Connector>

3. Connect from Chrome or Firefox, able to verify browser can connect to the 
server with TLSv1.3 cipher suites.

4. Use a test program, such as the attached.  Update the URL to point to the 
TLS1.3 supported server. Run the program, Notice the behavior.

The stacktrace of the Exception:

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
    at 
java.base/sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:526)
    at 
org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:464)
    at 
org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:397)
    at 
org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
    at 
org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
    at 
org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
    at 
org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:394)
    at 
org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
    at 
org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
    at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
    at 
org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
    at 
org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
    at 
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
    at 
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
    at 
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
    at TestHttpClient.makeRequest(TestHttpClient.java:33)
    at TestHttpClient.main(TestHttpClient.java:18)

 

(Note, I am using java 11 for both the server and the client where TLSv1.3 is 
supported)

  was:
# Set up a clean Apache Tomcat server, in my case I downloaded 8.5.37.
 # Setup and change the server.xml to setup HTTPS/TLS 1.3 connector, I have 
this section:

    <Connector port="8443" protocol="HTTP/1.1" scheme="https" secure="true"
                maxThreads="150" SSLEnabled="true" >
         <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
         <SSLHostConfig ciphers="TLS_AES_256_GCM_SHA384" protocols="TLSv1.3" 
sslProtocol="TLS">
             <Certificate certificateKeystoreFile="conf/.keystore" 
certificateKeystoreType="jks"/>
         </SSLHostConfig>
     </Connector>

3. Connect from Chrome or Firefox, able to verify browser can connect to the 
server with TLSv1.3 cipher suites.

4. Use a test program, such as the attached.  Update the URL to point to the 
TLS1.3 supported server. Run the program, Notice the behavior.

(Note, I am using java 11 for both the server and the client where TLSv1.3 is 
supported)


> HttpClient does not appears to support TLSv1.3 well
> ---------------------------------------------------
>
>                 Key: HTTPCLIENT-1967
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1967
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient (Windows)
>    Affects Versions: 4.5.3, 4.5.6
>         Environment: Windows
>            Reporter: FUMIN
>            Priority: Major
>         Attachments: TestHttpClient.java
>
>
> # Set up a clean Apache Tomcat server, in my case I downloaded 8.5.37.
>  # Setup and change the server.xml to setup HTTPS/TLS 1.3 connector, I have 
> this section:
>     <Connector port="8443" protocol="HTTP/1.1" scheme="https" secure="true"
>                 maxThreads="150" SSLEnabled="true" >
>          <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
>          <SSLHostConfig ciphers="TLS_AES_256_GCM_SHA384" protocols="TLSv1.3" 
> sslProtocol="TLS">
>              <Certificate certificateKeystoreFile="conf/.keystore" 
> certificateKeystoreType="jks"/>
>          </SSLHostConfig>
>      </Connector>
> 3. Connect from Chrome or Firefox, able to verify browser can connect to the 
> server with TLSv1.3 cipher suites.
> 4. Use a test program, such as the attached.  Update the URL to point to the 
> TLS1.3 supported server. Run the program, Notice the behavior.
> The stacktrace of the Exception:
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>     at 
> java.base/sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:526)
>     at 
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:464)
>     at 
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:397)
>     at 
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
>     at 
> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
>     at 
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
>     at 
> org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:394)
>     at 
> org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
>     at 
> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
>     at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
>     at 
> org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
>     at 
> org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
>     at 
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
>     at 
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
>     at 
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
>     at TestHttpClient.makeRequest(TestHttpClient.java:33)
>     at TestHttpClient.main(TestHttpClient.java:18)
>  
> (Note, I am using java 11 for both the server and the client where TLSv1.3 is 
> supported)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org

[jira] [Updated] (HTTPCLIENT-1967) HttpClient does not appears to support TLSv1.3 well

Reply via email to