You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by "David (JIRA)" <ji...@apache.org> on 2015/01/23 00:49:34 UTC
[jira] [Comment Edited] (HTTPCLIENT-1600) Enable supported TLS
protocols
[ https://issues.apache.org/jira/browse/HTTPCLIENT-1600?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14288471#comment-14288471 ]
David edited comment on HTTPCLIENT-1600 at 1/22/15 11:48 PM:
-------------------------------------------------------------
Ha! apparently not. Why disable TLSv1.1 and TLSv1.2 in java 7, do we have good reasons ?
Oracle's rational for not enabling TLSv1.1 and TLSv1.2 in java 7 seems to be
{quote}
Although SunJSSE in the Java SE 7 release supports TLS 1.1 and TLS 1.2, neither version is enabled by default for client connections. Some servers do not implement forward compatibility correctly and refuse to talk to TLS 1.1 or TLS 1.2 clients. For interoperability, SunJSSE does not enable TLS 1.1 or TLS 1.2 by default for client connections.
Server connections have no such interoperability problem. TLS 1.1 and TLS 1.2 are enabled by default for server connections.
{quote} source - https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
However, there are not many servers that have issues communicating with TLSv1.1 or TLSv1.2 clients around any more, which is why java 8 enables TLSv1.1 and TLSv1.2. Also, at the same time java >= 7 not using TLSv1.1 or higher in handshaking like I have said violates the TLS specification (unless you use the com.sun.net.ssl.rsaPreMasterSecretFix system property) which results in servers(tested against openssl) rejecting java connections when the negotiated protocol version differs from the original version sent in the client hello.
was (Author: dblack):
Ha! apparently not. Why disable TLSv1.1 and TLSv1.2 in java 7, do we have good reasons ?
Oracle's rational for not enabling TLSv1.1 and TLSv1.2 in java 7 seems to be
{quote}
Although SunJSSE in the Java SE 7 release supports TLS 1.1 and TLS 1.2, neither version is enabled by default for client connections. Some servers do not implement forward compatibility correctly and refuse to talk to TLS 1.1 or TLS 1.2 clients. For interoperability, SunJSSE does not enable TLS 1.1 or TLS 1.2 by default for client connections.
Server connections have no such interoperability problem. TLS 1.1 and TLS 1.2 are enabled by default for server connections.
{quote} source - https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
However, there are not many servers that have issues communicating with TLSv1.1 or TLSv1.2 clients, which is why java 8 enables TLSv1.1 and TLSv1.2. Also, at the same time java >= 7 not using TLSv1.1 or higher in handshaking like I have said violates the TLS specification (unless you use the com.sun.net.ssl.rsaPreMasterSecretFix system property) which results in servers(tested against openssl) rejecting java connections when the negotiated protocol version differs from the original version sent in the client hello.
> Enable supported TLS protocols
> ------------------------------
>
> Key: HTTPCLIENT-1600
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1600
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Components: HttpClient
> Affects Versions: 4.4 Final
> Reporter: David
>
> https://github.com/apache/httpclient/commit/a3a8def3ab99174468930b99dc897dd488968c41 reverts a change that enabled TLSv1.1 and TLSv1.2 in java 7. If the 'https.protocols' property has not been set then httpclient should enable all supported TLS protocols. The result of this change will be that TLSv1.1 and TLSv1.2 will be used in java 7.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org