hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Braun (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCLIENT-1595) SSLConnectionSocketFactory not respecting enabled protocols
Date Fri, 09 Jan 2015 19:06:34 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1595?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14271720#comment-14271720
] 

Michael Braun commented on HTTPCLIENT-1595:
-------------------------------------------

Oleg -

So I would agree but this is a behavior change in that it is no longer taking the JVM's default
enabled protocols into account. To show this:

With Java 7, TLSv1.1 and TLSv1.2 are disabled by default. If you run with HTTPClient 4.3.4
and Java 7 and don't set any system settings at all, SSLv3 and TLSv1 are the protocols supported
- TLSv1.1 and TLSv1.2 are never part of the handshake. With 4.3.6, TLS1.1 and 1.2 are added
back in even though they are not enabled by default by Java 7. This is why I believe it should
be using .getEnabledProtocols rather than .getSupportedProtocols - it should respect what
is disabled.

Thanks!

> SSLConnectionSocketFactory not respecting enabled protocols
> -----------------------------------------------------------
>
>                 Key: HTTPCLIENT-1595
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1595
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.3.6
>            Reporter: Michael Braun
>              Labels: easyfix, security
>
> In createLayeredSocket - 
> If supportedProtocols is null, the list of protocols (minus those that start with SSL)
are loaded.
> However, the protocols should be from sslsock.getEnabledProtocols(); rather than sslsock.getSupportedProtocols()
to reflect settings on the JVM.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message