How to enforce TLS1.2 to Rest client using Rest Template

Question

I am consuming json webservice using Spring3.0 restTemplate by calling post method.

        MultiValueMap<String, String> headers = new LinkedMultiValueMap<String, String>();
        headers.add("Content-Type", MediaType.APPLICATION_JSON_VALUE);      
        HttpEntity<Object> entity = new HttpEntity<Object>(requestAsString, headers);
        postForObject = restTemplate.postForObject(url, entity, responseClass );

Our application is deployed in WAS server and trying to connect producer by creating socket connection with TLS1.0. However, now producer only supports TLS1.1 and TLS1.2.

How to enforce restTempate to use TLS1.1 or TLS 1.2.

Normally for apache httpclient code , create custom ProtocolSocketFactory and override createSocket method. However , in case of RestTemplate , how to achieve same.

Answer 1

With Spring > 3.1:

import javax.net.ssl.SSLContext;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.web.client.RestTemplate;

SSLContext context = SSLContext.getInstance("TLSv1.2");
context.init(null, null, null);

CloseableHttpClient httpClient = HttpClientBuilder.create().setSSLContext(context)
    .build();
HttpComponentsClientHttpRequestFactory factory = new HttpComponentsClientHttpRequestFactory(httpClient);
RestTemplate restTemplate = new RestTemplate(factory);
.....

Answer 2

You can configure your RestTemplate to use a custom ClientHttpRequestFactory. In particular (since you're using Spring 3.0), there is a CommonsClientHttpRequestFactory. That will enable you to configure commons HTTP in detail, and your RestTemplate will use that for executing its requests.

Please note that the actual implementation classes have changed in later versions of Spring (and if you're still on 3.0 you really should consider updating). From 3.1 on the implementation class is called HttpComponentsClientHttpRequestFactory.

Answer 3

@abhishekhp If your question is still up.

    RestTemplate restTemplate = new RestTemplate();
    DefaultHttpClient httpClient = new DefaultHttpClient();
    // We're going to try and load and enable TLS version 1.2 standard communication context from JSSE Providers
    // This is enabled only for download media Mirakl as some merchants don't accept communication with TLS versions prior to 1.1
    try {
        SSLContext context;
        context = SSLContext.getInstance("TLSv1.2");
        context.init(null, null, null);

        SSLSocketFactory ssf = new SSLSocketFactory(context);
        ClientConnectionManager ccm = httpClient.getConnectionManager();
        SchemeRegistry sr = ccm.getSchemeRegistry();
        sr.register(new Scheme("http", 80, PlainSocketFactory.getSocketFactory()));
        sr.register(new Scheme("https", 443, ssf));

    } catch (NoSuchAlgorithmException | KeyManagementException e) {
        LOGGER.warn("Could not load the TLS version 1.2 due to => ", e);
    }

    restTemplate.setRequestFactory(new HttpComponentsClientHttpRequestFactory(httpClient));