How to change client TLS preferences in Java?

Tags:

I'm trying to make a POST request to an endpoint in Java, and when I try to send the request, I get the following error:

Caused by: javax.net.ssl.SSLHandshakeException: The server selected protocol version TLS10 is not accepted by client preferences [TLS13, TLS12]

This is what I have so far

Map<Object, Object> data = new HashMap<>();
data.put("username","foo");
data.put("password","bar");

String url = "https://google.com";

HttpRequest request = HttpRequest.newBuilder()
     .POST(buildFormDataFromMap(data))
     .uri(URI.create(url))
     .build();

try{
     HttpResponse<String> response =  httpClient.send(request, 
          HttpResponse.BodyHandlers.ofString());
     System.out.println(response.statusCode());
     System.out.println(response.body());
} catch (Exception e){
     e.printStackTrace();
}

Then when I run the code, the error gets thrown when sending the request/making the response object. My question is, if the TLS preferences are different for the server than the client, how can I change the preferences within Java so it can still make the request?

423

asked Nov 05 '19 19:11

jpthesolver2

1 Answers

To solve this problem in jdk 11, I had to create an javax.net.ssl.SSLParameters object to enable "TLSv1", etc:

SSLParameters sslParameters = new SSLParameters();
        sslParameters.setProtocols(new String[]{"TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"});

Then create the HttpClient and add the sslParamters object:

HttpClient httpClient = HttpClient.newBuilder()
            .sslParameters(sslParameters)
            .build();

If you also want to disable hostname verification, add following code BEFORE HttpClient initialization;

final Properties props = System.getProperties(); 
props.setProperty("jdk.internal.httpclient.disableHostnameVerification", Boolean.TRUE.toString());

Also you can add a new TrustManager to trust all certificates (self signed). To do so, add following code into your Class:

    TrustManager[] trustAllCerts = new TrustManager[] { 
        new X509TrustManager() {     
            public java.security.cert.X509Certificate[] getAcceptedIssuers() { 
                return new X509Certificate[0];
            } 
            public void checkClientTrusted( 
                java.security.cert.X509Certificate[] certs, String authType) {
                } 
            public void checkServerTrusted( 
                java.security.cert.X509Certificate[] certs, String authType) {
            }
        } 
    };

After this, you have to create an SSLContext object and add the TrustManger object:

SSLContext sslContext = SSLContext.getInstance("TLS");
        sslContext.init(null, trustAllCerts, new java.security.SecureRandom());

And finally alter the HttpClient initialization like this:

httpClient = HttpClient.newBuilder()
            .sslContext(sslContext)
            .sslParameters(sslParameters)
            .build()

Here is a complete Class example:

import java.net.http.HttpClient;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import java.util.Properties;

import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;

public class HttpSSLClient {

    private SSLContext sslContext;
    private SSLParameters sslParameters;
    private HttpClient httpClient;

    public HttpSSLClient() throws KeyManagementException, NoSuchAlgorithmException {

        sslParameters = new SSLParameters();
        sslParameters.setProtocols(new String[]{"TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"});

        sslContext = SSLContext.getInstance("TLS");
        sslContext.init(null, trustAllCerts, new java.security.SecureRandom());

        final Properties props = System.getProperties(); 
        props.setProperty("jdk.internal.httpclient.disableHostnameVerification", Boolean.TRUE.toString());

        httpClient = HttpClient.newBuilder()
                .sslContext(sslContext)
                .sslParameters(sslParameters)
                .build();
    }

    public HttpClient getHttplClient() {
        return httpClient;
    }

    TrustManager[] trustAllCerts = new TrustManager[] { 
            new X509TrustManager() {     
                public java.security.cert.X509Certificate[] getAcceptedIssuers() { 
                    return new X509Certificate[0];
                } 
                public void checkClientTrusted( 
                    java.security.cert.X509Certificate[] certs, String authType) {
                    } 
                public void checkServerTrusted( 
                    java.security.cert.X509Certificate[] certs, String authType) {
                }
            } 
        }; 
}

You can use the getHttplClient() function while calling your HttpRequest.

answered Sep 20 '22 08:09

Java ist auch eine Insel

Related questions
                            
                                How to verify the TLS version used in javax.mail.*;
                            
                                Could not create SSL/TLS secure channel only on Windows Server 2012
                            
                                Java 11 SSLHandshakeException with TLS 1.3: How do I revert to TLS 1.2?
                            
                                Upload TLS client certificate to Firebase cloud functions
                            
                                TLS certificate is being provisioned. This may take up to 15 minutes to complete
                            
                                How to get metadata using Svcutil.exe with an endpoint that has Tls 1.2
                            
                                Is there a way to enable TLS 1.2 in Picasso library on older devices?
                            
                                Unity TlsException: Handshake failed UNITYTLS_X509VERIFY_FLAG_NOT_TRUSTED
                            
                                how to enable TLS 1.3 in windows 10
                            
                                node.js mqtt client using TLS
                            
                                Cannot set app to use system default TLS version by adding appcontext settings in web.config
                            
                                Force by config to use tls 1.0 in a wcf client c#
                            
                                NodeJS v12 re-enable TLS 1.1, and 1.0
                            
                                TLS 1.1, 1.2 in WebView for android <= 4.3
                            
                                Google App Engine Node.js TLS 1.2
                            
                                Left with 0 client certificates to choose from when accessing SSRS management.

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!

Donate Us With

How to change client TLS preferences in Java?

Tags:

sslhandshakeexception

tls1.2

tls1.0

jpthesolver2

People also ask

1 Answers

Java ist auch eine Insel

Recent Activity

Donate For Us