hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCLIENT-1600) Enable supported TLS protocols
Date Thu, 22 Jan 2015 23:48:34 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1600?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14288471#comment-14288471

David commented on HTTPCLIENT-1600:

Ha! apparently not. Why disable TLSv1.1 and TLSv1.2 in java 7, do we have good reasons ?
Oracle's rational for not enabling TLSv1.1 and TLSv1.2 in java 7 seems to be 
Although SunJSSE in the Java SE 7 release supports TLS 1.1 and TLS 1.2, neither version is
enabled by default for client connections. Some servers do not implement forward compatibility
correctly and refuse to talk to TLS 1.1 or TLS 1.2 clients. For interoperability, SunJSSE
does not enable TLS 1.1 or TLS 1.2 by default for client connections.

Server connections have no such interoperability problem. TLS 1.1 and TLS 1.2 are enabled
by default for server connections.
{quote} source - https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html

However, there are not many servers that have issues communicating with TLSv1.1 or TLSv1.2
clients, which is why java 8 enables TLSv1.1 and TLSv1.2. Also, at the same time java >=
7 not using TLSv1.1 or higher in handshaking like I have said violates the TLS specification
(unless you use the com.sun.net.ssl.rsaPreMasterSecretFix system property) which results in
servers(tested against openssl) rejecting java connections when the negotiated protocol version
differs from the original version sent in the client hello.

> Enable supported TLS protocols
> ------------------------------
>                 Key: HTTPCLIENT-1600
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1600
>             Project: HttpComponents HttpClient
>          Issue Type: Improvement
>          Components: HttpClient
>    Affects Versions: 4.4 Final
>            Reporter: David
> https://github.com/apache/httpclient/commit/a3a8def3ab99174468930b99dc897dd488968c41
reverts a change that enabled TLSv1.1 and TLSv1.2 in java 7. If the 'https.protocols' property
has not been set then httpclient should enable all supported TLS protocols. The result of
this change will be that TLSv1.1 and TLSv1.2 will be used in java 7.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org

View raw message