Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to set TLS version on apache HttpClient

How can I change the supported TLS versions on my HttpClient?

I'm doing:

SSLContext sslContext = SSLContext.getInstance("TLSv1.1");
sslContext.init(
    keymanagers.toArray(new KeyManager[keymanagers.size()]),
    null,
    null);

SSLSocketFactory socketFactory = new SSLSocketFactory(sslContext, new String[]{"TLSv1.1"}, null, null);
Scheme scheme = new Scheme("https", 443, socketFactory);
SchemeRegistry schemeRegistry = new SchemeRegistry();
schemeRegistry.register(scheme);
BasicClientConnectionManager cm = new BasicClientConnectionManager(schemeRegistry);
httpClient = new DefaultHttpClient(cm);

But when I check the created socket, it still says the supported protocols are TLSv1.0, TLSv1.1 and TLSv1.2.

In reality I just want it to stop using TLSv1.2, for this specific HttpClient.

like image 605
Oliveira Avatar asked Feb 08 '15 07:02

Oliveira


People also ask

How do I enable TLS 1.2 on Apache web server?

To enable TLS 1.2 in Apache, you will need to change/add the SSLProtocol directive. To do any of this, mod_ssl should be enabled, if not, use the command sudo a2enmod ssl . You can also support TLSv1. 3 if you have OpenSSL 1.1.


3 Answers

The solution is:

SSLContext sslContext = SSLContexts.custom()     .useTLS()     .build();  SSLConnectionSocketFactory f = new SSLConnectionSocketFactory(     sslContext,     new String[]{"TLSv1", "TLSv1.1"},        null,     BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);  httpClient = HttpClients.custom()     .setSSLSocketFactory(f)     .build(); 

This requires org.apache.httpcomponents.httpclient 4.3.x though.

like image 97
Oliveira Avatar answered Oct 09 '22 02:10

Oliveira


This is how I got it working on httpClient 4.5 (as per Olive Tree request):

CredentialsProvider credsProvider = new BasicCredentialsProvider(); credsProvider.setCredentials(         new AuthScope(AuthScope.ANY_HOST, 443),         new UsernamePasswordCredentials(this.user, this.password));  SSLContext sslContext = SSLContexts.createDefault();  SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslContext,         new String[]{"TLSv1", "TLSv1.1"},         null,         new NoopHostnameVerifier());  CloseableHttpClient httpclient = HttpClients.custom()         .setDefaultCredentialsProvider(credsProvider)         .setSSLSocketFactory(sslsf)         .build();  return httpclient; 
like image 29
douglaslps Avatar answered Oct 09 '22 03:10

douglaslps


HttpClient-4.5,Use TLSv1.2 ,You must code like this:

 //Set the https use TLSv1.2
private static Registry<ConnectionSocketFactory> getRegistry() throws KeyManagementException, NoSuchAlgorithmException {
    SSLContext sslContext = SSLContexts.custom().build();
    SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslContext,
            new String[]{"TLSv1.2"}, null, SSLConnectionSocketFactory.getDefaultHostnameVerifier());
    return RegistryBuilder.<ConnectionSocketFactory>create()
            .register("http", PlainConnectionSocketFactory.getSocketFactory())
            .register("https", sslConnectionSocketFactory)
            .build();
}

public static void main(String... args) {
    try {
        //Set the https use TLSv1.2
        PoolingHttpClientConnectionManager clientConnectionManager = new PoolingHttpClientConnectionManager(getRegistry());
        clientConnectionManager.setMaxTotal(100);
        clientConnectionManager.setDefaultMaxPerRoute(20);
        HttpClient client = HttpClients.custom().setConnectionManager(clientConnectionManager).build();
        //Then you can do : client.execute(HttpGet or HttpPost);
    } catch (KeyManagementException | NoSuchAlgorithmException e) {
        e.printStackTrace();
    }
}
like image 26
sfxm Avatar answered Oct 09 '22 04:10

sfxm