hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (HTTPCLIENT-1600) Enable supported TLS protocols
Date Thu, 22 Jan 2015 23:49:34 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1600?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14288471#comment-14288471
] 

David edited comment on HTTPCLIENT-1600 at 1/22/15 11:48 PM:
-------------------------------------------------------------

Ha! apparently not. Why disable TLSv1.1 and TLSv1.2 in java 7, do we have good reasons ?
Oracle's rational for not enabling TLSv1.1 and TLSv1.2 in java 7 seems to be 
{quote}
Although SunJSSE in the Java SE 7 release supports TLS 1.1 and TLS 1.2, neither version is
enabled by default for client connections. Some servers do not implement forward compatibility
correctly and refuse to talk to TLS 1.1 or TLS 1.2 clients. For interoperability, SunJSSE
does not enable TLS 1.1 or TLS 1.2 by default for client connections.

Server connections have no such interoperability problem. TLS 1.1 and TLS 1.2 are enabled
by default for server connections.
{quote} source - https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html


However, there are not many servers that have issues communicating with TLSv1.1 or TLSv1.2
clients around any more, which is why java 8 enables TLSv1.1 and TLSv1.2. Also, at the same
time java >= 7 not using TLSv1.1 or higher in handshaking like I have said violates the
TLS specification (unless you use the com.sun.net.ssl.rsaPreMasterSecretFix system property)
which results in servers(tested against openssl) rejecting java connections when the negotiated
protocol version differs from the original version sent in the client hello.
 


was (Author: dblack):
Ha! apparently not. Why disable TLSv1.1 and TLSv1.2 in java 7, do we have good reasons ?
Oracle's rational for not enabling TLSv1.1 and TLSv1.2 in java 7 seems to be 
{quote}
Although SunJSSE in the Java SE 7 release supports TLS 1.1 and TLS 1.2, neither version is
enabled by default for client connections. Some servers do not implement forward compatibility
correctly and refuse to talk to TLS 1.1 or TLS 1.2 clients. For interoperability, SunJSSE
does not enable TLS 1.1 or TLS 1.2 by default for client connections.

Server connections have no such interoperability problem. TLS 1.1 and TLS 1.2 are enabled
by default for server connections.
{quote} source - https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html


However, there are not many servers that have issues communicating with TLSv1.1 or TLSv1.2
clients, which is why java 8 enables TLSv1.1 and TLSv1.2. Also, at the same time java >=
7 not using TLSv1.1 or higher in handshaking like I have said violates the TLS specification
(unless you use the com.sun.net.ssl.rsaPreMasterSecretFix system property) which results in
servers(tested against openssl) rejecting java connections when the negotiated protocol version
differs from the original version sent in the client hello.
 

> Enable supported TLS protocols
> ------------------------------
>
>                 Key: HTTPCLIENT-1600
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1600
>             Project: HttpComponents HttpClient
>          Issue Type: Improvement
>          Components: HttpClient
>    Affects Versions: 4.4 Final
>            Reporter: David
>
> https://github.com/apache/httpclient/commit/a3a8def3ab99174468930b99dc897dd488968c41
reverts a change that enabled TLSv1.1 and TLSv1.2 in java 7. If the 'https.protocols' property
has not been set then httpclient should enable all supported TLS protocols. The result of
this change will be that TLSv1.1 and TLSv1.2 will be used in java 7.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message