Return-Path: X-Original-To: apmail-hc-dev-archive@www.apache.org Delivered-To: apmail-hc-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 9DA0D10A6C for ; Fri, 9 Jan 2015 19:06:33 +0000 (UTC) Received: (qmail 31967 invoked by uid 500); 9 Jan 2015 19:06:35 -0000 Delivered-To: apmail-hc-dev-archive@hc.apache.org Received: (qmail 31928 invoked by uid 500); 9 Jan 2015 19:06:34 -0000 Mailing-List: contact dev-help@hc.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "HttpComponents Project" Delivered-To: mailing list dev@hc.apache.org Received: (qmail 31916 invoked by uid 99); 9 Jan 2015 19:06:34 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 09 Jan 2015 19:06:34 +0000 Date: Fri, 9 Jan 2015 19:06:34 +0000 (UTC) From: "Michael Braun (JIRA)" To: dev@hc.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HTTPCLIENT-1595) SSLConnectionSocketFactory not respecting enabled protocols MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HTTPCLIENT-1595?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14271720#comment-14271720 ] Michael Braun commented on HTTPCLIENT-1595: ------------------------------------------- Oleg - So I would agree but this is a behavior change in that it is no longer taking the JVM's default enabled protocols into account. To show this: With Java 7, TLSv1.1 and TLSv1.2 are disabled by default. If you run with HTTPClient 4.3.4 and Java 7 and don't set any system settings at all, SSLv3 and TLSv1 are the protocols supported - TLSv1.1 and TLSv1.2 are never part of the handshake. With 4.3.6, TLS1.1 and 1.2 are added back in even though they are not enabled by default by Java 7. This is why I believe it should be using .getEnabledProtocols rather than .getSupportedProtocols - it should respect what is disabled. Thanks! > SSLConnectionSocketFactory not respecting enabled protocols > ----------------------------------------------------------- > > Key: HTTPCLIENT-1595 > URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1595 > Project: HttpComponents HttpClient > Issue Type: Bug > Components: HttpClient > Affects Versions: 4.3.6 > Reporter: Michael Braun > Labels: easyfix, security > > In createLayeredSocket - > If supportedProtocols is null, the list of protocols (minus those that start with SSL) are loaded. > However, the protocols should be from sslsock.getEnabledProtocols(); rather than sslsock.getSupportedProtocols() to reflect settings on the JVM. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org For additional commands, e-mail: dev-help@hc.apache.org