[
https://issues.apache.org/jira/browse/HTTPCLIENT-1969?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Oleg Kalnichevski resolved HTTPCLIENT-1969.
-------------------------------------------
Resolution: Fixed
Fix Version/s: 5.0 Beta4
4.5.9
> Filter out weak TLS cipher suites in Apache HttpClient
> ------------------------------------------------------
>
> Key: HTTPCLIENT-1969
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1969
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpClient (classic)
> Affects Versions: 4.5.7
> Reporter: Artem Smotrakov
> Priority: Major
> Fix For: 4.5.9, 5.0 Beta4
>
> Attachments: SSLConnectionSocketFactory.java.patch
>
> Time Spent: 4h 50m
> Remaining Estimate: 0h
>
> SSLConnectionSocketFactory filters out insecure SSL protocols if a used
> didn't explicitly enable them
> [https://github.com/apache/httpcomponents-client/blob/4.5.x/httpclient/src/main/java/org/apache/http/conn/ssl/SSLConnectionSocketFactory.java#L386]
> But it doesn't filter out insecure cipher suites which use weak algorithms
> such as SHA-1, RC4, DES, 3DES, etc. In fact, insecure cipher suites may be
> blocked by TLS implementation like JSSE if a user uses modern versions of
> JDK. But if the user doesn't upgrade JDK or the JDK is not supported anymore
> by the vendor, then it insecure cipher suites may be used for TLS
> connections. Implementing such a filter for weak TLS cipher suites may be an
> additional defense-in-depth measure which may help users to use HttpClient in
> a safe way.
>
> I am attaching a patch (draft) for SSLConnectionSocketFactory which adds such
> a filtering mechanism. If no objections, I'll finalize it and create a pull
> request.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
