You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "Oleg Kalnichevski (JIRA)" <ji...@apache.org> on 2019/01/25 22:56:00 UTC
[jira] [Resolved] (HTTPCLIENT-1967) HttpClient does not appears to
support TLSv1.3 well
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1967?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Oleg Kalnichevski resolved HTTPCLIENT-1967.
-------------------------------------------
Resolution: Won't Fix
This is a known bug in TLSv3 implementation in Java 11. Please [JDK-8212885|https://bugs.openjdk.java.net/browse/JDK-8212885]
I reported it to Oracle some while ago
[https://security-dev.openjdk.java.narkive.com/Ffk69zcX/sslsession-getpeercertificates-and-resumed-tlsv1-3-sessions]
Either consider upgrading to Java 12 or try convincing Oracle people to back port the fix to Java 11 or disable hostname verification.
Oleg
> HttpClient does not appears to support TLSv1.3 well
> ---------------------------------------------------
>
> Key: HTTPCLIENT-1967
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1967
> Project: HttpComponents HttpClient
> Issue Type: Bug
> Components: HttpClient (Windows)
> Affects Versions: 4.5.3, 4.5.6
> Environment: Windows
> Reporter: FUMIN
> Priority: Major
> Attachments: TestHttpClient.java, ssl_handshake_debugresult_2requests_using_the_same_HttpClient_Instnace.txt
>
>
> # Set up a clean Apache Tomcat server, in my case I downloaded 8.5.37.
> # Setup and change the server.xml to setup HTTPS/TLS 1.3 connector, I have this section:
> <Connector port="8443" protocol="HTTP/1.1" scheme="https" secure="true"
> maxThreads="150" SSLEnabled="true" >
> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
> <SSLHostConfig ciphers="TLS_AES_256_GCM_SHA384" protocols="TLSv1.3" sslProtocol="TLS">
> <Certificate certificateKeystoreFile="conf/.keystore" certificateKeystoreType="jks"/>
> </SSLHostConfig>
> </Connector>
> 3. Connect from Chrome or Firefox, able to verify browser can connect to the server with TLSv1.3 cipher suites.
> 4. Use a test program, such as the attached. Update the URL to point to the TLS1.3 supported server. Run the program, Notice the behavior.
> The stacktrace of the Exception:
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
> at java.base/sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:526)
> at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:464)
> at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:397)
> at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
> at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
> at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
> at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:394)
> at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
> at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
> at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
> at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
> at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
> at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
> at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
> at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
> at TestHttpClient.makeRequest(TestHttpClient.java:33)
> at TestHttpClient.main(TestHttpClient.java:18)
>
> (Note, I am using java 11 for both the server and the client where TLSv1.3 is supported)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org