Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to enable SSLv3 with Apache HttpClient?

SSLv3 is disabled in Apache HttpClient since version 4.3.6, but I'm using version 4.5. The developers wrote:

Those users who wish to continue using SSLv3 need to explicitly enable support for it.

I tried to set the supported protocols on the JVM level, but it didn't work. The example is in Scala, but that is not relevant for the problem:

System.setProperty("https.protocols", "SSLv2Hello,SSLv3,TLSv1,TLSv1.1,TLSv1.2")

My second try was this:

val instance: CloseableHttpClient = {
  val trustStrategy = new TrustStrategy {
    override def isTrusted(x509Certificates: Array[X509Certificate], s: String) = true
  }
  val sslContext = new SSLContextBuilder().loadTrustMaterial(null, trustStrategy).build()
  val sslSocketFactory = new SSLConnectionSocketFactory(sslContext, NoopHostnameVerifier.INSTANCE)
  val socketFactoryRegistry =
    RegistryBuilder.create[ConnectionSocketFactory]()
        .register("http", PlainConnectionSocketFactory.getSocketFactory)
        .register("https", sslSocketFactory)
        .build()
  val connectionManager = new PoolingHttpClientConnectionManager(socketFactoryRegistry)
  HttpClients.custom()
      .disableRedirectHandling()
      .setSSLContext(sslContext)
      .setConnectionManager(connectionManager)
      .build()
}

But it didn't work either.

How can I connect to hosts supporting SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2 with Apache HttpClient 4.5?

like image 307
deamon Avatar asked Jul 24 '15 10:07

deamon


People also ask

How does Apache HttpClient handle invalid SSL certificates?

To resolve the issue, do one of the following: Configure SSLContext with a TrustManager that accepts any certificate (see below). Configure SSLContext with an appropriate trust store that includes your certificate. Add the certificate for that site to the default Java trust store.

Is Apache HttpClient deprecated?

From Apache HTTP Client API version 4.3 on wards, DefaultHttpClient is deprecated.

Is Apache HttpClient thread safe?

HttpClient is fully thread-safe when used with a thread-safe connection manager such as MultiThreadedHttpConnectionManager.


1 Answers

HttpClient does not take system properties into account by default. One either needs to instruct HttpClient builder to do so

CloseableHttpClient client = HttpClients.createSystem();

or manually configure connection socket factory with custom protocol settings

SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(
        SSLContext.getDefault(),
        new String[] { "SSLv2Hello","SSLv3","TLSv1","TLSv1.1","TLSv1.2"},
        null,
        SSLConnectionSocketFactory.getDefaultHostnameVerifier());
Registry<ConnectionSocketFactory> socketFactoryRegistry = RegistryBuilder.<ConnectionSocketFactory>create()
        .register("http", PlainConnectionSocketFactory.getSocketFactory())
        .register("https", socketFactory)
        .build();

PoolingHttpClientConnectionManager cm = new PoolingHttpClientConnectionManager(socketFactoryRegistry);
CloseableHttpClient client = HttpClients.custom().setConnectionManager(cm).build();

EDIT

This code snippet works just fine with the site mentioned in a comment

SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(
        SSLContext.getDefault(),
        new String[] {"TLSv1"},
        null,
        SSLConnectionSocketFactory.getDefaultHostnameVerifier());
Registry<ConnectionSocketFactory> socketFactoryRegistry = RegistryBuilder.<ConnectionSocketFactory>create()
        .register("http", PlainConnectionSocketFactory.getSocketFactory())
        .register("https", socketFactory)
        .build();

PoolingHttpClientConnectionManager cm = new PoolingHttpClientConnectionManager(socketFactoryRegistry);
CloseableHttpClient client = HttpClients.custom().setConnectionManager(cm).build();
try (CloseableHttpResponse response = client.execute(new HttpGet("https://www.ethz.ch/de.html"))) {
    System.out.println(response.getStatusLine());
    System.out.println(EntityUtils.toString(response.getEntity()));
}
like image 100
ok2c Avatar answered Sep 20 '22 05:09

ok2c