[jira] [Commented] (HTTPCLIENT-1967) HttpClient does not appears to support TLSv1.3 well

FUMIN (JIRA) Fri, 25 Jan 2019 13:23:26 -0800


    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-1967?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16752681#comment-16752681
 ]


FUMIN commented on HTTPCLIENT-1967:
-----------------------------------

Thanks Oleg for the follow up.

Let me try to summarize:

a. Using HttpClient making HTTPS request on a TLSv1.3 server does NOT always 
fail.

b. It looks every other such requests (if they share the same HttpClient 
instance), then the 2nd - or every other request would fail. 

This probably is due to TLSv1.3's communication is different from versions 
before.

It might be the same or similar issue compare to:
 # PROTON-1972

https://issues.apache.org/jira/browse/PROTON-1972

or GEODE-5819

https://issues.apache.org/jira/browse/GEODE-5819

 

 

1.

The JRE version:java version:

"11.0.2" 2018-10-16 LTS
Java(TM) SE Runtime Environment 18.9 (build 11.0.2+7-LTS)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.2+7-LTS, mixed mode)

(I have also tried with java 11, 11.0.1)

 

2. I added stacktrace and ssl debug log - the debug log attached.  The 
stacktrace when every other time making HttpRequest (HttpPost or HttpGet) would 
fail with "Peer not authenticated" error is also here:

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
    at 
java.base/sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:526)
    at 
org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:464)
    at 
org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:397)
    at 
org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
    at 
org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
    at 
org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
    at 
org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:394)
    at 
org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
    at 
org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
    at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
    at 
org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
    at 
org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
    at 
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
    at 
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
    at 
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
    at TestHttpClient.makeRequest(TestHttpClient.java:33)
    at TestHttpClient.main(TestHttpClient.java:18)

 

PLEASE NOTE THAT if making a single request to that TLS1.3 server, it actually 
would succeed with no error.

 

3. Not quite certain about "_complete_ wire / context log of the session as 
described here...".  That link leads me to the "HttpClient Overview" web page.  
Above I just posted the stacktrace and the ssl handshake debug log, hopefully 
that is what you are referring to.

 

> HttpClient does not appears to support TLSv1.3 well
> ---------------------------------------------------
>
>                 Key: HTTPCLIENT-1967
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1967
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient (Windows)
>    Affects Versions: 4.5.3, 4.5.6
>         Environment: Windows
>            Reporter: FUMIN
>            Priority: Major
>         Attachments: TestHttpClient.java, 
> ssl_handshake_debugresult_2requests_using_the_same_HttpClient_Instnace.txt
>
>
> # Set up a clean Apache Tomcat server, in my case I downloaded 8.5.37.
>  # Setup and change the server.xml to setup HTTPS/TLS 1.3 connector, I have 
> this section:
>     <Connector port="8443" protocol="HTTP/1.1" scheme="https" secure="true"
>                 maxThreads="150" SSLEnabled="true" >
>          <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
>          <SSLHostConfig ciphers="TLS_AES_256_GCM_SHA384" protocols="TLSv1.3" 
> sslProtocol="TLS">
>              <Certificate certificateKeystoreFile="conf/.keystore" 
> certificateKeystoreType="jks"/>
>          </SSLHostConfig>
>      </Connector>
> 3. Connect from Chrome or Firefox, able to verify browser can connect to the 
> server with TLSv1.3 cipher suites.
> 4. Use a test program, such as the attached.  Update the URL to point to the 
> TLS1.3 supported server. Run the program, Notice the behavior.
> The stacktrace of the Exception:
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>     at 
> java.base/sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:526)
>     at 
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:464)
>     at 
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:397)
>     at 
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
>     at 
> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
>     at 
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
>     at 
> org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:394)
>     at 
> org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
>     at 
> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
>     at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
>     at 
> org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
>     at 
> org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
>     at 
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
>     at 
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
>     at 
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
>     at TestHttpClient.makeRequest(TestHttpClient.java:33)
>     at TestHttpClient.main(TestHttpClient.java:18)
>  
> (Note, I am using java 11 for both the server and the client where TLSv1.3 is 
> supported)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org

[jira] [Commented] (HTTPCLIENT-1967) HttpClient does not appears to support TLSv1.3 well

Reply via email to