You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Andriy Redko (Jira)" <ji...@apache.org> on 2023/11/01 03:03:00 UTC

[jira] [Resolved] (CXF-8952) HttpClientHTTPConduit in CXF doesn't support TLSv1.3 along with other protocols

     [ https://issues.apache.org/jira/browse/CXF-8952?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Andriy Redko resolved CXF-8952.
-------------------------------
    Resolution: Fixed

> HttpClientHTTPConduit in CXF doesn't support TLSv1.3 along with other protocols
> -------------------------------------------------------------------------------
>
>                 Key: CXF-8952
>                 URL: https://issues.apache.org/jira/browse/CXF-8952
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS
>    Affects Versions: 4.0.3, 4.0.4
>            Reporter: Sebastian Violet
>            Assignee: Daniel Kulp
>            Priority: Critical
>             Fix For: 3.6.3, 4.0.4
>
>         Attachments: image-2023-10-30-17-30-19-307.png
>
>
>  *HttpClientHTTPConduit* does't have support for TLSv1.3 out of the box. [Look at line #253 here|https://github.com/apache/cxf/blob/ee4244116cb49c007bde3ee7ee6a06a4cfb26027/rt/transports/http/src/main/java/org/apache/cxf/transport/http/HttpClientHTTPConduit.java#L253].
> !image-2023-10-30-17-30-19-307.png|width=821,height=227!
>  This means that any endpoint which solely supports *TLSv1.3* and has turned off other lower protocols will fail SSL Handshake.
> One can pass in a singular {*}secureSocketProtocol{*}, but that doesn't support passing in a list for negotiation fallback.
> I.e. We can do the following:
> {code:java}
> ClientConfiguration config = WebClient.getConfig(service);
> final TLSClientParameters tlsClientParameters = ObjectUtils.firstNonNull(config.getHttpConduit().getTlsClientParameters(), new TLSClientParameters());
>  tlsClientParameters.setSecureSocketProtocol("TLSv1.3");
> {code}
> However, this will not work with endpoints that do now support {*}TLSv1.3{*}; it works great for endpoints that only have *TLSv1.3* though.
>  
> {*}Solution{*}:
> {*}Option 1{*}({color:#FF0000}Ideal; *recommended*{color}): Add *TLSv1.3* to the list of protocols when creating the HttpClient through the builder.
> {*}Option 2{*}: Allow *setSecureSocketProtocol* to take in an *array* of protocols.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)