Re: How to enable TLS 1.3 post-handshake authentication with HTTP 1.1
On 2023/09/12 16:29:04 Torsten Krah wrote: > Am Dienstag, dem 12.09.2023 um 18:08 +0200 schrieb Oleg Kalnichevski: > > This statement is meaningless. All versions of HttpClient have their > > own http classes. And all versions of HttpClient have always been > > using > > JSSE for its transport security and nothing else. If you are not > > happy > > with JSSE, Oracle's implementation of JSSE, or anything we provide as > > a > > project, build your own. > > I never said anywhere I am not happy with the project nor anything else > about the JSSE impl, I don't know where you read that - if I would not > be happy with, I would not use it and ask questions on the PHA support. > > The project does provide a user mailing list, so either you want to > help like Micheal and provide something useful to your users questions > or you don't want to help, but in that case why being subscribed to the > user mailing list in the first place? > > It was a simple question about PHA which Micheal answered (thanks for > that) and that's it - your whole point / discussion did not shed > anything new on the topic at all. > > Conclusion: Micheal did help me and at least I won't discuss that any > further, the topic is answered, thanks. Getting back to the actual topic: I consider Xulei's justification not to implement as just non-sense because he's totally focused on HTTP/2. The world does not revolve around HTTP and there are a plenty of other protocols, maybe even custom ones which could benefit from. SunJSSE has always been mediocre and crap on the server-side, luckily Tomcat supports OpenSSL out of the box. - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
Re: How to enable TLS 1.3 post-handshake authentication with HTTP 1.1
Am Dienstag, dem 12.09.2023 um 18:08 +0200 schrieb Oleg Kalnichevski: > This statement is meaningless. All versions of HttpClient have their > own http classes. And all versions of HttpClient have always been > using > JSSE for its transport security and nothing else. If you are not > happy > with JSSE, Oracle's implementation of JSSE, or anything we provide as > a > project, build your own. I never said anywhere I am not happy with the project nor anything else about the JSSE impl, I don't know where you read that - if I would not be happy with, I would not use it and ask questions on the PHA support. The project does provide a user mailing list, so either you want to help like Micheal and provide something useful to your users questions or you don't want to help, but in that case why being subscribed to the user mailing list in the first place? It was a simple question about PHA which Micheal answered (thanks for that) and that's it - your whole point / discussion did not shed anything new on the topic at all. Conclusion: Micheal did help me and at least I won't discuss that any further, the topic is answered, thanks. Torsten - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
Re: How to enable TLS 1.3 post-handshake authentication with HTTP 1.1
On Tue, 2023-09-12 at 18:00 +0200, Torsten Krah wrote: > Am Dienstag, dem 12.09.2023 um 17:54 +0200 schrieb Oleg Kalnichevski: > > Confirms how? HttpClient has always been using JSSE APIs and > > nothing > > else. Like it does now. > > I said the old HttpComponents had their own http classes This statement is meaningless. All versions of HttpClient have their own http classes. And all versions of HttpClient have always been using JSSE for its transport security and nothing else. If you are not happy with JSSE, Oracle's implementation of JSSE, or anything we provide as a project, build your own. Oleg - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
Re: How to enable TLS 1.3 post-handshake authentication with HTTP 1.1
Am Dienstag, dem 12.09.2023 um 17:54 +0200 schrieb Oleg Kalnichevski: > Confirms how? HttpClient has always been using JSSE APIs and nothing > else. Like it does now. I said the old HttpComponents had their own http classes and if you look at the code of HttpConnection, it does not extend / use the java.net.http ones. It had its own code for stuff which JSSE had classes since JDK 1.1. I never said that it did not use any JSSE API at all, I just said it had its own code for http stuff (for which there was already a JSSE class), looking at that old code that statement is still correct imho. Torsten - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
Re: How to enable TLS 1.3 post-handshake authentication with HTTP 1.1
On Tue, 2023-09-12 at 17:51 +0200, Torsten Krah wrote: > Am Dienstag, dem 12.09.2023 um 17:42 +0200 schrieb Oleg Kalnichevski: > > http://svn.apache.org/viewvc/httpcomponents/oac.hc3x/trunk/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java?revision=1422573&view=markup > > > > Oleg > > That confirms my statement, look at the imports, there is no import > on > the java.net.http classes, right? > Confirms how? HttpClient has always been using JSSE APIs and nothing else. Like it does now. Oleg - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
Re: How to enable TLS 1.3 post-handshake authentication with HTTP 1.1
Am Dienstag, dem 12.09.2023 um 17:42 +0200 schrieb Oleg Kalnichevski: > http://svn.apache.org/viewvc/httpcomponents/oac.hc3x/trunk/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java?revision=1422573&view=markup > > Oleg That confirms my statement, look at the imports, there is no import on the java.net.http classes, right? Torsten - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
Re: How to enable TLS 1.3 post-handshake authentication with HTTP 1.1
On Tue, 2023-09-12 at 17:36 +0200, Torsten Krah wrote: > > > > You do not. > > Looking at [1] the http classes (e.g. [2]) do not leverage the > java.net.http classes, so at least on that part I do remember right, > imho. > http://svn.apache.org/viewvc/httpcomponents/oac.hc3x/trunk/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java?revision=1422573&view=markup Oleg - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
Re: How to enable TLS 1.3 post-handshake authentication with HTTP 1.1
> > You do not. Looking at [1] the http classes (e.g. [2]) do not leverage the java.net.http classes, so at least on that part I do remember right, imho. [1] http://svn.apache.org/viewvc/httpcomponents/oac.hc3x/trunk/src/java/org/apache/commons/httpclient/ [2] http://svn.apache.org/viewvc/httpcomponents/oac.hc3x/trunk/src/java/org/apache/commons/httpclient/HttpConnection.java?view=markup > > > > > There is nothing stopping anyone from building their own connection > socket factory (for classic i/o) or their own TLS strategy (for the > async i/o) and add whatever custom TLS behavior their heart desires. > > One can easily plug-in custom JSSE implementations by the way if the > default one shipped with the JRE is not good enough. > > We support Conscrypt JSSE based TLS strategies out of the box sicne > 5.0. Point taken, I never questioned that - but from a user perspective it still comes down to: Q: Does it work (can it be enabled) with the current code / implementation? A: no Torsten - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
Re: How to enable TLS 1.3 post-handshake authentication with HTTP 1.1
On Tue, 2023-09-12 at 15:06 +, Michael Osipov wrote: > On 2023/09/12 14:53:52 Torsten Krah wrote: > > Am Dienstag, dem 12.09.2023 um 14:39 + schrieb Michael Osipov: > > > How, did you expect us to write an custom JSSE provider? > > > > The old pre 4.x http components had their own http classes and did > > not > > use the JSSE base ones - if I remember right You do not. > > - for their > > implementation, so it seemed not that unlikely, that there would be > > some custom code here, which may have that enabled (without knowing > > what would be needed to accomplish that, if I would have known, I > > guess > > I could have answered the question myself) - that's why I did ask > > the > > user mailing list, I had no time to read and understand the whole > > code > > base before ;-). > > Well, I joined the project at 4.x times. Your statement is very > likely true. It is not. > > > > That is not correct. It would be unsupported if the underlying > > > API > > > would support it, but we would not expose it. Here, it is simply > > > impossible. > > > > From a user perspective - the end result is the same, just the > > reason > > is different - it is still unsupported (because it is not possible > > with > > the current JSSE implementation HttpComponents does use) - so just > > a > > nitpick in naming it, in the end: > > > > Q: Does it work (can it be enabled) with the current code / > > implementation? > > A: no ;) > > Point taken. There is nothing stopping anyone from building their own connection socket factory (for classic i/o) or their own TLS strategy (for the async i/o) and add whatever custom TLS behavior their heart desires. One can easily plug-in custom JSSE implementations by the way if the default one shipped with the JRE is not good enough. We support Conscrypt JSSE based TLS strategies out of the box sicne 5.0. Oleg - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
Re: How to enable TLS 1.3 post-handshake authentication with HTTP 1.1
On 2023/09/12 14:53:52 Torsten Krah wrote: > Am Dienstag, dem 12.09.2023 um 14:39 + schrieb Michael Osipov: > > How, did you expect us to write an custom JSSE provider? > > The old pre 4.x http components had their own http classes and did not > use the JSSE base ones - if I remember right - for their > implementation, so it seemed not that unlikely, that there would be > some custom code here, which may have that enabled (without knowing > what would be needed to accomplish that, if I would have known, I guess > I could have answered the question myself) - that's why I did ask the > user mailing list, I had no time to read and understand the whole code > base before ;-). Well, I joined the project at 4.x times. Your statement is very likely true. > > That is not correct. It would be unsupported if the underlying API > > would support it, but we would not expose it. Here, it is simply > > impossible. > > From a user perspective - the end result is the same, just the reason > is different - it is still unsupported (because it is not possible with > the current JSSE implementation HttpComponents does use) - so just a > nitpick in naming it, in the end: > > Q: Does it work (can it be enabled) with the current code / implementation? > A: no ;) Point taken. - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
Re: How to enable TLS 1.3 post-handshake authentication with HTTP 1.1
Am Dienstag, dem 12.09.2023 um 14:39 + schrieb Michael Osipov: > How, did you expect us to write an custom JSSE provider? The old pre 4.x http components had their own http classes and did not use the JSSE base ones - if I remember right - for their implementation, so it seemed not that unlikely, that there would be some custom code here, which may have that enabled (without knowing what would be needed to accomplish that, if I would have known, I guess I could have answered the question myself) - that's why I did ask the user mailing list, I had no time to read and understand the whole code base before ;-). > > That is not correct. It would be unsupported if the underlying API > would support it, but we would not expose it. Here, it is simply > impossible. >From a user perspective - the end result is the same, just the reason is different - it is still unsupported (because it is not possible with the current JSSE implementation HttpComponents does use) - so just a nitpick in naming it, in the end: Q: Does it work (can it be enabled) with the current code / implementation? A: no ;) Torsten - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
Re: How to enable TLS 1.3 post-handshake authentication with HTTP 1.1
On 2023/09/12 14:35:08 Torsten Krah wrote: > Am Dienstag, dem 12.09.2023 um 14:21 + schrieb Michael Osipov: > > PHA is not implemented in SunJSSE. > > Yeah, I found https://bugs.openjdk.org/browse/JDK-8206923 - > unfortunately no progress on that ticket so far - but I hade hope that > HttpComponents brought its own impl which I could opt-in to use. How, did you expect us to write an custom JSSE provider? > > Good luck! > > Imho that means out of luck here, so the workaround is to force TLS 1.2 > for the client connection, instead of TLS 1.3, where the mutual > authentication topic is still working from a user perspective (although > handled differently in the protocol and not via PHA). Yes, that is the best option for now. > Nevertheless, thanks for the confirming, that it is unsupported in > HttpComponents. That is not correct. It would be unsupported if the underlying API would support it, but we would not expose it. Here, it is simply impossible. - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
Re: How to enable TLS 1.3 post-handshake authentication with HTTP 1.1
Am Dienstag, dem 12.09.2023 um 14:21 + schrieb Michael Osipov: > PHA is not implemented in SunJSSE. Yeah, I found https://bugs.openjdk.org/browse/JDK-8206923 - unfortunately no progress on that ticket so far - but I hade hope that HttpComponents brought its own impl which I could opt-in to use. > > Good luck! Imho that means out of luck here, so the workaround is to force TLS 1.2 for the client connection, instead of TLS 1.3, where the mutual authentication topic is still working from a user perspective (although handled differently in the protocol and not via PHA). Nevertheless, thanks for the confirming, that it is unsupported in HttpComponents. Torsten - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
Re: How to enable TLS 1.3 post-handshake authentication with HTTP 1.1
On 2023/09/12 13:54:49 Torsten Krah wrote: > Hi, > > how do I enable TLS 1.3 post-handshake authentication with HTTP 1.1 > when using HttpComponents? > > At the moment all my requests are failing if a TLS 1.3 host requires > mutual tls and the certificate is only required for some methods / > uri's, where httpd will request that certificate via post-handshake > authentication? > > I know it is forbidden for HTTP/2, but for HTTP 1.1 it is a valid > extension to be used, e.g. curl had this > https://github.com/curl/curl/issues/3026 issue where that feature was > enabled, so how it is done for HttpComponents? PHA is not implemented in SunJSSE. See: https://pagure.io/dogtagpki/issue/3088 and https://medium.com/quick-code/an-example-of-tls-1-3-client-and-server-on-java-20e9eeb64ddf Maybe you can hook in another JSSE impl, but it still needs the API to enable PHA. Good luck! - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org
How to enable TLS 1.3 post-handshake authentication with HTTP 1.1
Hi, how do I enable TLS 1.3 post-handshake authentication with HTTP 1.1 when using HttpComponents? At the moment all my requests are failing if a TLS 1.3 host requires mutual tls and the certificate is only required for some methods / uri's, where httpd will request that certificate via post-handshake authentication? I know it is forbidden for HTTP/2, but for HTTP 1.1 it is a valid extension to be used, e.g. curl had this https://github.com/curl/curl/issues/3026 issue where that feature was enabled, so how it is done for HttpComponents? kind regards Torsten - To unsubscribe, e-mail: httpclient-users-unsubscr...@hc.apache.org For additional commands, e-mail: httpclient-users-h...@hc.apache.org