You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@hc.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2019/04/02 10:18:00 UTC

[jira] [Commented] (HTTPCLIENT-1969) Filter out weak TLS cipher suites in Apache HttpClient

    [ https://issues.apache.org/jira/browse/HTTPCLIENT-1969?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16807623#comment-16807623 ] 

ASF subversion and git services commented on HTTPCLIENT-1969:
-------------------------------------------------------------

Commit 9049eb01452b16bc8e9a16dc3be50e9b0e5780fa in httpcomponents-client's branch refs/heads/HTTPCLIENT-1976 from Artem Smotrakov
[ https://gitbox.apache.org/repos/asf?p=httpcomponents-client.git;h=9049eb0 ]

HTTPCLIENT-1969: Filter out weak cipher suites


> Filter out weak TLS cipher suites in Apache HttpClient
> ------------------------------------------------------
>
>                 Key: HTTPCLIENT-1969
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1969
>             Project: HttpComponents HttpClient
>          Issue Type: Improvement
>          Components: HttpClient (classic)
>    Affects Versions: 4.5.7
>            Reporter: Artem Smotrakov
>            Priority: Major
>         Attachments: SSLConnectionSocketFactory.java.patch
>
>          Time Spent: 4h 50m
>  Remaining Estimate: 0h
>
> SSLConnectionSocketFactory filters out insecure SSL protocols if a used didn't explicitly enable them
> [https://github.com/apache/httpcomponents-client/blob/4.5.x/httpclient/src/main/java/org/apache/http/conn/ssl/SSLConnectionSocketFactory.java#L386]
> But it doesn't filter out insecure cipher suites which use weak algorithms such as SHA-1, RC4, DES, 3DES, etc. In fact, insecure cipher suites may be blocked by TLS implementation like JSSE if a user uses modern versions of JDK. But if the user doesn't upgrade JDK or the JDK is not supported anymore by the vendor, then it insecure cipher suites may be used for TLS connections. Implementing such a filter for weak TLS cipher suites may be an additional defense-in-depth measure which may help users to use HttpClient in a safe way.
>  
> I am attaching a patch (draft) for SSLConnectionSocketFactory which adds such a filtering mechanism. If no objections, I'll finalize it and create a pull request.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org