hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From e...@zusammenkunft.net
Subject Re: Having Trouble Getting HttpClient Working with TLSv1.2
Date Fri, 22 Apr 2016 21:48:59 GMT
Souns like the service does not like TLS12, did you try using Browser or openssl to verify
what Protocol it accepts. Or just sent a full list of protocols for a test.

Gruss
Bernd
-- 
http://bernd.eckenfels.net

-----Original Message-----
From: Dave Westerman <dlwester@us.ibm.com>
To: httpclient-users@hc.apache.org
Sent: Fr., 22 Apr. 2016 22:04
Subject: Having Trouble Getting HttpClient Working with TLSv1.2

We are using ApacheHttpClient to connect to an external REST service. We've been using version
4.3.5, but we also tried it with 4.5.2, and the results have been the same. The backend service
changed to force the use of TLSv1.2, which causes our code to fail because of the protocol
versiom. So we tried to make changes to use that, but no matter what we try, we're still getting
the error. Here is our latest iteration of the code:  
  
    SSLContext sslContext = SSLContexts.custom().useProtocol("TLSv1.2").build();
    SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslContext, new String[]
{ "TLSv1.2" },
        new String[] { "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
        SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
    HttpClientBuilder httpClientBuilder = HttpClientBuilder.create().setDefaultRequestConfig(requestConfig)
        .setConnectionManager(connManager).setSSLSocketFactory(sslsf);
    handleAuthentication(uri, httpClientBuilder);
    httpClient = httpClientBuilder.build();
  
I am also setting the following JVM options:  
JVM_ARGS=-Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2 -Djavax.net.debug=all
 
  
But we are still getting the error:  
  
[4/21/16 17:27:37:123 EDT] 00000042 id=         bm.myw3.services.awf.sso.ejb.generator.SSOTokenGeneratorImpl
I Exception :: javax.net.ssl.SSLException: Received fatal alert: protocol_version  
[4/21/16 17:27:37:124 EDT] 00000042 id=         com.ibm.myw3.services.awf.sso.ejb.SSOTokenManagerBean
       E SSOTokenGeneratorException :: {0}
com.ibm.myw3.services.awf.sso.ejb.config.SSOTokenGeneratorException: Exception while executing
http request for retrieving Token  
  

I have a trace.log, which I can upload if anyone thinks it would be useful to see. But here
are various entries from the trace:  
  
    Default Executor-thread-25, WRITE: TLSv1.2 Handshake, length = 80
    Default Executor-thread-25, WRITE: TLSv1.2 Application Data, length = 256
    Default Executor-thread-25, READ: TLSv1.2 Application Data, length = 1552
    SEND TLSv1.2 ALERT:
    Finalizer thread, WRITE: TLSv1.2 Alert, length = 64
  

And then it goes on to try TLSv1. I'm not sure what to look for to determine why it's not
using TLSv1.2, but nothing is jumping out at me from the trace.



---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message