hc-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mohammed Aijaz Yousuf (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HTTPCLIENT-1692) Apache HttpClient overrides the protocols supplied by JVM and instead defaults it to TLSv1.0
Date Fri, 06 Nov 2015 03:30:27 GMT

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1692?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14993017#comment-14993017
] 

Mohammed Aijaz Yousuf commented on HTTPCLIENT-1692:
---------------------------------------------------

We are using an SDK which uses HttpCleint to make external connection. I have attached the
Litle SDK here along with a standalone class. Please import the SDK to your workspace and
execute this standalone class. You will see the webservice calls failing as the server system
requires the connection to happen using TLS1.1 or above. Even if you set a system property
to set TLS1.1/1.2 in the class, webservice connection happens using TLS1.0 so i am thinking
that HttpCleint is overriding the protocol set by System property. But when you create a SSLContextFactory
and explicitly set TLS1.2 like below while creating HTTPClient instance, then calls succeed
and connection is made through TLS1.2. 

DefaultHttpClient temp = new DefaultHttpClient();
  try {
     if (getBestProtocol(SSLContext.getDefault().getDefaultSSLParameters().getProtocols())
== null) {
     String protocol = "TLSv1.2"
         if (protocol == null) {
      throw new IllegalStateException("No supported TLS protocols available");
       }        
   SSLContext ctx = SSLContext.getInstance(protocol);
     ctx.init(null, null, null);
        temp.getConnectionManager().getSchemeRegistry().register(new Scheme("https", 443,
new SSLSocketFactory(ctx)));
  this.httpclient = temp;


> Apache HttpClient overrides the protocols supplied by JVM and instead defaults it to
TLSv1.0
> --------------------------------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1692
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1692
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.5
>         Environment: Windows and Linux
>            Reporter: Mohammed Aijaz Yousuf
>         Attachments: litle-sdk-for-java-9.3.1.zip
>
>
> Issue :  We have a SDK provided by our Payment gateway and we use this SDK to invoke
the Payment webservices. This SDK uses Apache HttpCLient /Post methods to make webservice
calls and Payment gateway requires the communication to go through TLS1.2 handshake.  We invoke
these payment services using 2 ways :
> 1. Using IBM Websphere Application server.
> 2. Using IBM Agent Server (Batch job which runs on a JVM process and uses Queue to process
and listen to messages)
> a. For IBM websphere, we were able to make the TLS1.2 protocol work by changing the "Quality
Of Protection"  SSL settings but we cannot make it work on IBM Agent server.
> b. We tried passing the protocols explicitly by giving "https.protocols=TLSv1.2" as system
arguments when starting the server but it seems the Apache HttpsClient is overriding the protocol
and setting it to JVM default protocol which is TLSv1.0. Due to this default protocol, all
our communications with Payment gateway are failing. We are using apache-httpcomponents-httpclient.jar.
 
> c. We tried using the httpClient4.5.x but even then the same behavior is seen.Another
issue we faced when we use higher versions of httpclient was whenever we try deploying the
Httpclient 4.5.x.jar on websphere, Websphere is throwing Class conflict error as IBM websphere
has a com.ibm.ws.prereq.jaxrs.jar plugin which internally supports only apache 4.1.x. We tried
changing the websphere class loader policy to read the Parent class last but it starts effecting
other functionalities.
> d. We would basically need to know how we can enforce the httpclient to accept the JVM
protocols set in system property "https.protocols=TLSv1.2" instead of overriding the protocol
to TLSv1.0.  
> e. We are using IBM JDK 1.6 SR5 and IBM Websphere 8.5.5
> Secondly we are not using JSSE socketfactory but are using Websphere SSL socket factory
with com.ibm.ws.security.crypto.jar:
> # WebSphere socket factories (in cryptosf.jar)
> ssl.SocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLSocketFactory
> ssl.ServerSocketFactory.provider=com.ibm.websphere.ssl.protocol.SSLServerSocketFactory
> f. Its an Open source SDK provided by Vantiv and it can be used by anyone  at https://github.com/LitleCo/litle-sdk-for-java
> Below is the URL:
> https://www.testlitle.com/sandbox/communicator/online



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org


Mime
View raw message