> -----Original Message-----
> From: Bhowmik, Bindul [mailto:bindulbhow...@gmail.com]
> Sent: Friday, February 10, 2017 3:12 PM
> To: HttpClient User Discussion <httpclient-users@hc.apache.org>
> Subject: Re: How to use TLSv1.2 with httpclient 4.1.2 (httpcore 4.1.3)
>
> On Fri, Feb 10, 2017 at 3:30 PM, KARR, DAVID <dk0...@att.com> wrote:
> > I've been asked to look at some old code using httpclient-4.1.2 and
> httpcore-4.1.3, which connects to internal sites using TLSv1.0. We now
> need to force it to use TLSv1.2. Several other devs have tried to get
> this to work, and they've all given up, for now. I've seen many
> StackOverflow postings, and in other places, that talk about the various
> ways to resolve this.
> >
> > Could someone give me a succinct summary of what I need to do to make
> this work?
> >
> > If part of the answer means that I'll need to upgrade to a newer
> version of httpclient, I'm ok with that, but only if it's really
> necessary. Upgrading that may result in other impacts which I'd like to
> minimize.
>
> You might want to look at this thread [1] discussing a similar query.
> However, the SSLConnectionSocketFactory [2] used that example was
> introduced in client version 4.3 from the class documentation.
>
> Another option would be to disable TLS v1.0 in the JRE itself [3].
Accounting for the fact that I misspoke on the httpclient version I'm using, I
can see that using the "jdk.tls.client.protocols" system property will be the
ideal solution, if we can get access to the 1.7.0_95 installer (this is in the
"Advanced Java" realm, so is not "freely available").
Failing that, combining the info on that page with a code sample that someone
else assembled (I don't know what their source was), my first cut at a solution
to this is at the end of this. I'm hoping that this will work for both a
TLSv1.0 server and a TLSv1.2 server, and will also work fine if/when we upgrade
our client to Java 8. Note that I've commented out the variation that doesn't
do hostname verification. I'm not sure if I'm going to need that.
Does this look reasonable?
-----------------
private HttpClientConnectionManager getHttpConnectionManager() {
if (mConnManager != null) {
return mConnManager;
}
try {
SSLContext context =
SSLContext.getInstance("TLSV1.2");
X509TrustManager trustManager =
new X509TrustManager() {
@Override
public X509Certificate[]
getAcceptedIssuers() { return null; }
@Override
public void
checkClientTrusted(X509Certificate[] chain, String authType) throws
CertificateException { }
@Override
public void
checkServerTrusted(X509Certificate[] chain, String authType) throws
CertificateException { }
};
context.init(null, new TrustManager[] {trustManager},
null);
SSLConnectionSocketFactory factory = new
SSLConnectionSocketFactory(context);
//SSLConnectionSocketFactory factory = new
SSLConnectionSocketFactory(context, NoopHostnameVerifier.INSTANCE);
Registry<ConnectionSocketFactory> registry
=
RegistryBuilder.<ConnectionSocketFactory> create().register("https",
factory).build();
mConnManager = new
PoolingHttpClientConnectionManager(registry);
mConnManager.setMaxTotal(getMaxTotalConnections());
mConnManager.setDefaultMaxPerRoute(getMaxPerRouteConnection());
}
catch (NoSuchAlgorithmException | KeyManagementException ex) {
logger.logError(ex);
}
return mConnManager;
}
-------------
