Artem Smotrakov created HTTPCLIENT-1969:
-------------------------------------------
Summary: Filter out weak TLS cipher suites in Apache HttpClient
Key: HTTPCLIENT-1969
URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1969
Project: HttpComponents HttpClient
Issue Type: Improvement
Components: HttpClient (classic)
Affects Versions: 4.5.7
Reporter: Artem Smotrakov
Attachments: SSLConnectionSocketFactory.java.patch
SSLConnectionSocketFactory filters out insecure SSL protocols if a used didn't
explicitly enable them
[https://github.com/apache/httpcomponents-client/blob/4.5.x/httpclient/src/main/java/org/apache/http/conn/ssl/SSLConnectionSocketFactory.java#L386]
But it doesn't filter out insecure cipher suites which use weak algorithms such
as SHA-1, RC4, DES, 3DES, etc. In fact, insecure cipher suites may be blocked
by TLS implementation like JSSE if a user uses modern versions of JDK. But if
the user doesn't upgrade JDK or the JDK is not supported anymore by the vendor,
then it insecure cipher suites may be used for TLS connections. Implementing
such a filter for weak TLS cipher suites may be an additional defense-in-depth
measure which may help users to use HttpClient in a safe way.
I am attaching a patch (draft) for SSLConnectionSocketFactory which adds such a
filtering mechanism. If no objections, I'll finalize it and create a pull
request.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
