You are viewing a plain text version of this content. The canonical link for it is here.

Posted to httpclient-users@hc.apache.org by Dave Westerman <dl...@us.ibm.com> on 2016/04/22 22:04:12 UTC

Having Trouble Getting HttpClient Working with TLSv1.2

We are using ApacheHttpClient to connect to an external REST service. We've been using version 4.3.5, but we also tried it with 4.5.2, and the results have been the same. The backend service changed to force the use of TLSv1.2, which causes our code to fail because of the protocol versiom. So we tried to make changes to use that, but no matter what we try, we're still getting the error. Here is our latest iteration of the code:  
  
    SSLContext sslContext = SSLContexts.custom().useProtocol("TLSv1.2").build();
    SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslContext, new String[] { "TLSv1.2" },
        new String[] { "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
        SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
    HttpClientBuilder httpClientBuilder = HttpClientBuilder.create().setDefaultRequestConfig(requestConfig)
        .setConnectionManager(connManager).setSSLSocketFactory(sslsf);
    handleAuthentication(uri, httpClientBuilder);
    httpClient = httpClientBuilder.build();
  
I am also setting the following JVM options:  
JVM_ARGS=-Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2 -Djavax.net.debug=all  
  
But we are still getting the error:  
  
[4/21/16 17:27:37:123 EDT] 00000042 id=         bm.myw3.services.awf.sso.ejb.generator.SSOTokenGeneratorImpl I Exception :: javax.net.ssl.SSLException: Received fatal alert: protocol_version  
[4/21/16 17:27:37:124 EDT] 00000042 id=         com.ibm.myw3.services.awf.sso.ejb.SSOTokenManagerBean        E SSOTokenGeneratorException :: {0}
com.ibm.myw3.services.awf.sso.ejb.config.SSOTokenGeneratorException: Exception while executing http request for retrieving Token  
  

I have a trace.log, which I can upload if anyone thinks it would be useful to see. But here are various entries from the trace:  
  
    Default Executor-thread-25, WRITE: TLSv1.2 Handshake, length = 80
    Default Executor-thread-25, WRITE: TLSv1.2 Application Data, length = 256
    Default Executor-thread-25, READ: TLSv1.2 Application Data, length = 1552
    SEND TLSv1.2 ALERT:
    Finalizer thread, WRITE: TLSv1.2 Alert, length = 64
  

And then it goes on to try TLSv1. I'm not sure what to look for to determine why it's not using TLSv1.2, but nothing is jumping out at me from the trace.



---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org

Re: Having Trouble Getting HttpClient Working with TLSv1.2

Posted by ec...@zusammenkunft.net.

Souns like the service does not like TLS12, did you try using Browser or openssl to verify what Protocol it accepts. Or just sent a full list of protocols for a test.

Gruss
Bernd
-- 
http://bernd.eckenfels.net

-----Original Message-----
From: Dave Westerman <dl...@us.ibm.com>
To: httpclient-users@hc.apache.org
Sent: Fr., 22 Apr. 2016 22:04
Subject: Having Trouble Getting HttpClient Working with TLSv1.2

We are using ApacheHttpClient to connect to an external REST service. We've been using version 4.3.5, but we also tried it with 4.5.2, and the results have been the same. The backend service changed to force the use of TLSv1.2, which causes our code to fail because of the protocol versiom. So we tried to make changes to use that, but no matter what we try, we're still getting the error. Here is our latest iteration of the code:  
  
    SSLContext sslContext = SSLContexts.custom().useProtocol("TLSv1.2").build();
    SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslContext, new String[] { "TLSv1.2" },
        new String[] { "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" },
        SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
    HttpClientBuilder httpClientBuilder = HttpClientBuilder.create().setDefaultRequestConfig(requestConfig)
        .setConnectionManager(connManager).setSSLSocketFactory(sslsf);
    handleAuthentication(uri, httpClientBuilder);
    httpClient = httpClientBuilder.build();
  
I am also setting the following JVM options:  
JVM_ARGS=-Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2 -Djavax.net.debug=all  
  
But we are still getting the error:  
  
[4/21/16 17:27:37:123 EDT] 00000042 id=         bm.myw3.services.awf.sso.ejb.generator.SSOTokenGeneratorImpl I Exception :: javax.net.ssl.SSLException: Received fatal alert: protocol_version  
[4/21/16 17:27:37:124 EDT] 00000042 id=         com.ibm.myw3.services.awf.sso.ejb.SSOTokenManagerBean        E SSOTokenGeneratorException :: {0}
com.ibm.myw3.services.awf.sso.ejb.config.SSOTokenGeneratorException: Exception while executing http request for retrieving Token  
  

I have a trace.log, which I can upload if anyone thinks it would be useful to see. But here are various entries from the trace:  
  
    Default Executor-thread-25, WRITE: TLSv1.2 Handshake, length = 80
    Default Executor-thread-25, WRITE: TLSv1.2 Application Data, length = 256
    Default Executor-thread-25, READ: TLSv1.2 Application Data, length = 1552
    SEND TLSv1.2 ALERT:
    Finalizer thread, WRITE: TLSv1.2 Alert, length = 64
  

And then it goes on to try TLSv1. I'm not sure what to look for to determine why it's not using TLSv1.2, but nothing is jumping out at me from the trace.



---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org