6

SSLv3 is disabled in Apache HttpClient since version 4.3.6, but I'm using version 4.5. The developers wrote:

Those users who wish to continue using SSLv3 need to explicitly enable support for it.

I tried to set the supported protocols on the JVM level, but it didn't work. The example is in Scala, but that is not relevant for the problem:

System.setProperty("https.protocols", "SSLv2Hello,SSLv3,TLSv1,TLSv1.1,TLSv1.2")

My second try was this:

val instance: CloseableHttpClient = {
  val trustStrategy = new TrustStrategy {
    override def isTrusted(x509Certificates: Array[X509Certificate], s: String) = true
  }
  val sslContext = new SSLContextBuilder().loadTrustMaterial(null, trustStrategy).build()
  val sslSocketFactory = new SSLConnectionSocketFactory(sslContext, NoopHostnameVerifier.INSTANCE)
  val socketFactoryRegistry =
    RegistryBuilder.create[ConnectionSocketFactory]()
        .register("http", PlainConnectionSocketFactory.getSocketFactory)
        .register("https", sslSocketFactory)
        .build()
  val connectionManager = new PoolingHttpClientConnectionManager(socketFactoryRegistry)
  HttpClients.custom()
      .disableRedirectHandling()
      .setSSLContext(sslContext)
      .setConnectionManager(connectionManager)
      .build()
}

But it didn't work either.

How can I connect to hosts supporting SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2 with Apache HttpClient 4.5?

deamon
  • 89,107
  • 111
  • 320
  • 448

1 Answers1

6

HttpClient does not take system properties into account by default. One either needs to instruct HttpClient builder to do so

CloseableHttpClient client = HttpClients.createSystem();

or manually configure connection socket factory with custom protocol settings

SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(
        SSLContext.getDefault(),
        new String[] { "SSLv2Hello","SSLv3","TLSv1","TLSv1.1","TLSv1.2"},
        null,
        SSLConnectionSocketFactory.getDefaultHostnameVerifier());
Registry<ConnectionSocketFactory> socketFactoryRegistry = RegistryBuilder.<ConnectionSocketFactory>create()
        .register("http", PlainConnectionSocketFactory.getSocketFactory())
        .register("https", socketFactory)
        .build();

PoolingHttpClientConnectionManager cm = new PoolingHttpClientConnectionManager(socketFactoryRegistry);
CloseableHttpClient client = HttpClients.custom().setConnectionManager(cm).build();

EDIT

This code snippet works just fine with the site mentioned in a comment 

SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(
        SSLContext.getDefault(),
        new String[] {"TLSv1"},
        null,
        SSLConnectionSocketFactory.getDefaultHostnameVerifier());
Registry<ConnectionSocketFactory> socketFactoryRegistry = RegistryBuilder.<ConnectionSocketFactory>create()
        .register("http", PlainConnectionSocketFactory.getSocketFactory())
        .register("https", socketFactory)
        .build();

PoolingHttpClientConnectionManager cm = new PoolingHttpClientConnectionManager(socketFactoryRegistry);
CloseableHttpClient client = HttpClients.custom().setConnectionManager(cm).build();
try (CloseableHttpResponse response = client.execute(new HttpGet("https://www.ethz.ch/de.html"))) {
    System.out.println(response.getStatusLine());
    System.out.println(EntityUtils.toString(response.getEntity()));
}
ok2c
  • 26,450
  • 5
  • 63
  • 71
  • Thanks, but unfortunately your approach doesn't solve the problem. If I try to load `https://www.ethz.ch/de.html`, I get `javax.net.ssl.SSLException: Received fatal alert: protocol_version`. – deamon Aug 07 '15 at 13:12
  • Right. Because the site in question only supports TLSv1 only and no other protocol. – ok2c Aug 07 '15 at 13:55
  • Thank you, it works with your second approach. But why doesn't it work when more then the needed protocol version is given? `Array("TLSv1")` works and `Array("SSLv2Hello", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2")` does not! I have to connect to a lot of different hosts, so I must support more than `TLSv1`. Do you have any idea? – deamon Aug 10 '15 at 08:37
  • 1
    The JSSE provider is likely to choose a newer and more secure version of TLS if multiple versions are enabled. – ok2c Aug 10 '15 at 09:45