[jira] [Commented] (HTTPCLIENT-2134) HttpClient doesn't reuse TLS 1.2 Session

Mon, 08 Feb 2021 10:04:28 -0800 


    [ 
https://issues.apache.org/jira/browse/HTTPCLIENT-2134?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17281268#comment-17281268
 ] 

Maxim Egorov commented on HTTPCLIENT-2134:
------------------------------------------

> [~m_v_egorov] Why? Why should HttpClient be doing it? Is there a statement or 
>a requirement in the HTTP spec to that effect?

[~olegk], I think, because of tls session reusing is obvious requirement :). 
I'm sure, there are many many https server still not supporting extended master 
key extension, so in all this cases everybody will need to set up custom ssl 
socket factory. For example we discovered this behavior of HttpClient 
accidentally.

> If you want us to make any changes to HttpClient code or its default behavor 
>please raise a PR at GitHub with the proposed changes.

Ok. But i'm not sure that i have enough level of expertise in HttpClient. I 
thought it's not big problem to fix this issue.

 

Thanks, Oleg

 

> HttpClient doesn't reuse TLS 1.2 Session
> ----------------------------------------
>
>                 Key: HTTPCLIENT-2134
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2134
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient (classic)
>    Affects Versions: 4.5.13, 5.0.3
>            Reporter: Maxim Egorov
>            Priority: Major
>         Attachments: TestApacheHttpClientApp.java, handshake.log
>
>
> To reproduce run on java 11+:
> java -cp ... -Djavax.net.debug=ssl:handshake TestApacheHttpClientApp
> As you can see from handshake.log file HttpClient always create new tls 
> session.
> The root of problem is support of Extended Master Key Extension in 
> [https://github.com/openjdk/jdk/blob/jdk-11+28/src/java.base/share/classes/sun/security/ssl/ClientHello.java#L497.]
>  The standard jdk HttpURLConnection doesn't be affected this issues because 
> of it sets chc.sslConfig.identificationProtocol equals to HTTPS by default 
> [https://github.com/openjdk/jdk/blob/jdk-11%2B28/src/java.base/share/classes/sun/net/www/protocol/https/HttpsClient.java#L560.]
>  I tried to repeat the same trick (The commented code), but due to the bugs 
> of JDK [https://bugs.openjdk.java.net/browse/JDK-8253368] and may be 
> incorrect implementation of method 
> org.apache.http.impl.BHttpConnectionBase.close it doesn't work.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org

Reply via email to