3

I want to find out if apache cxf 3.1.6 supports TLS1.2

I looked at Apache's documentation and found no information related to TLS1.2 http://cxf.apache.org/docs/tls-configuration.html

I also tried setting "secureSocketProtocol to TLSv2" but ended up getting "TLSv2 SSLContext not available" in the logs.

Any help in this regard would be much appreciated.

Tarun Tyagi
  • 91
  • 2
  • 4

1 Answers1

2

I have used a custom ssl context in Apache httpClient to turn on TLSv1.2 in Java 7 (not on by default), so you should be able to turn it on in CXF. In Java 8, it should use it by default. I would try using the

TLSv1.2

as the parameter if your using the configuration.

If that doesn't work, you could try using a custom SSL factory.

// enable tls v1.1 and v1.2 on JRE 7

String jreVersion = System.getProperty("java.version");

if (jreVersion.startsWith("1.7")){

    try {
        SSLContext sslcontext = SSLContexts.custom().build();
        // Allow TLSv1.1 and 1.2 protocol only
        SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslcontext,
                new String[] { "TLSv1.1", "TLSv1.2" }, null,
                SSLConnectionSocketFactory.getDefaultHostnameVerifier());

        customClient.setSSLSocketFactory(sslsf); // set the httpClient custom factory
    } catch (KeyManagementException | NoSuchAlgorithmException e) {
        e.printStackTrace();
        throw e;
    }
}

Getting CXF to use the custom socket factory has been answered on this SO question

Community
  • 1
  • 1
Mike
  • 3,186
  • 3
  • 26
  • 32
  • There is also a Jira here that shows how to do it. http://mail-archives.apache.org/mod_mbox/cxf-issues/201503.mbox/%3CJIRA.12781561.1426180735000.131463.1426687958971@Atlassian.JIRA%3E – Mike May 16 '16 at 16:34
  • As a follow-on - look into the "conduit" configuration - it's not well documented but I believe it covers the aspects you want with regard to the connection specifics. – Dave G May 16 '16 at 16:39