HTTP Client SSL Connection setEnabledCipherSuites

Question

I have an app which connects to a server via HTTPS. The server in question has a weak certificate which utilises RC4 Cipher (default support for which was recently removed from the JDK https://www.java.com/en/download/faq/release_changes.xml) So following upgrade of the JDK, I am seeing javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

The release notes specify that you should use SSLSocket/SSLEngine.setEnabledCipherSuites() to specifically enable certain ciphers.

However, using HttpsUrlConnection, or Apache's CloseableHttpClient, I can only find how to specify the SslSocketFactory. Which doesn't seem to provide function .setEnabledCipherSuites.

Found this post: Why does SSLSocketFactory lack setEnabledCipherSuites?

My question is: Is there a way to get hold of the SSLEngine/Socket on an outbound client HTTP request so I can set the cipher suites before the handshake?

Thanks in advance.

Have you ever found a solution to this problem? I am facing the same issue. — IgorGanapolsky, Oct 23 '15 at 15:48
Hi, I'm also facing the same issue. Did you able to find the solution? — Maxi, Apr 20 '16 at 03:09

score 0 · Answer 1 · answered Apr 20 '16 at 06:55

I was facing the same problem and I was able to figure this out.

SecureProtocolSocketFactoryImpl protFactory = new SecureProtocolSocketFactoryImpl();
httpsClient.getHostConfiguration().setHost(host, port, httpsProtocol);

In the "SecureProtocolSocketFactoryImpl" class you have to override the method public Socket createSocket() for SecureProtocolSocketFactory class.

In that method you will get a socket like this

 SSLSocket soc = (SSLSocket) getSSLContext().getSocketFactory().createSocket(
                    socket,
                    host,
                    port,
                    autoClose
                );

So there you will be able to do something like below.

ciphersToBeEnabled[0] = "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA";
soc.setEnabledCipherSuites(ciphersToBeEnabled);

hope you get the idea. If you have any problems please comment below. Note that doing this only will not enable RC4 related ciphers. You will need to modify java "java.security" file in jre/lib/security/ file and remove CR4 form the disabled algorithm list.

Could you please let me know how to modify java.security in jre/lib/security/ file and remove CR4 form the disabled algorithm list? — Ramireddy Chintalapudi, Jan 30 '20 at 10:29

score 0 · Answer 2 · answered Apr 20 '16 at 08:14

0

For HttpsURLConnection, set the system property https.cipherSuites.

answered Apr 20 '16 at 08:14

user207421

305,947
44
307
483

score 0 · Answer 3 · edited Dec 18 '21 at 09:23

0

As you mentioned SSLSocketFactory doesn't support setEnabledCipherSuites() so can do something like this

SSLSocketFactory socketFactory=(SSLSocketFactory)SSLSocketFactory.getDefault();
SSLSocket socket=(SSLSocket)socketFactory.createSocket(host,port);
socket.setEnabledCipherSuites(CIPHERS);
SSLSocket provides setEnablesCipherSuites();

edited Dec 18 '21 at 09:23

Procrastinator

2,526
30
27
36

answered Dec 18 '21 at 05:42

Yaphet17

123
9

HTTP Client SSL Connection setEnabledCipherSuites

3 Answers3