[jira] [Commented] (CXF-8952) HttpClientHTTPConduit in CXF doesn't support TLSv1.3 along with other protocols

Thu, 02 Nov 2023 04:39:26 -0700 


    [ 
https://issues.apache.org/jira/browse/CXF-8952?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17782112#comment-17782112
 ] 

Andriy Redko commented on CXF-8952:
-----------------------------------

[~coheigea] nice catch, we should fix that as well (will create a covering 
issue shortly), thank you

> HttpClientHTTPConduit in CXF doesn't support TLSv1.3 along with other 
> protocols
> -------------------------------------------------------------------------------
>
>                 Key: CXF-8952
>                 URL: https://issues.apache.org/jira/browse/CXF-8952
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS
>    Affects Versions: 3.6.2, 4.0.3
>            Reporter: Sebastian Violet
>            Assignee: Daniel Kulp
>            Priority: Critical
>             Fix For: 3.6.3, 4.0.4
>
>         Attachments: image-2023-10-30-17-30-19-307.png
>
>
>  *HttpClientHTTPConduit* does't have support for TLSv1.3 out of the box. 
> [Look at line #253 
> here|https://github.com/apache/cxf/blob/ee4244116cb49c007bde3ee7ee6a06a4cfb26027/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HttpClientHTTPConduit.java#L253].
> !image-2023-10-30-17-30-19-307.png|width=821,height=227!
>  This means that any endpoint which solely supports *TLSv1.3* and has turned 
> off other lower protocols will fail SSL Handshake.
> One can pass in a singular {*}secureSocketProtocol{*}, but that doesn't 
> support passing in a list for negotiation fallback.
> I.e. We can do the following:
> {code:java}
> ClientConfiguration config = WebClient.getConfig(service);
> final TLSClientParameters tlsClientParameters = 
> ObjectUtils.firstNonNull(config.getHttpConduit().getTlsClientParameters(), 
> new TLSClientParameters());
>  tlsClientParameters.setSecureSocketProtocol("TLSv1.3");
> {code}
> However, this will not work with endpoints that do now support {*}TLSv1.3{*}; 
> it works great for endpoints that only have *TLSv1.3* though.
>  
> {*}Solution{*}:
> {*}Option 1{*}({color:#FF0000}Ideal; *recommended*{color}): Add *TLSv1.3* to 
> the list of protocols when creating the HttpClient through the builder.
> {*}Option 2{*}: Allow *setSecureSocketProtocol* to take in an *array* of 
> protocols.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to