[CXF-8952] HttpClientHTTPConduit in CXF doesn't support TLSv1.3 along with other protocols - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 3.6.2, 4.0.3
Fix Version/s: 3.6.3, 4.0.4
Component/s: JAX-RS
Labels:
None

Estimated Complexity:
Unknown

Description

HttpClientHTTPConduit does't have support for TLSv1.3 out of the box. Look at line #253 here.

This means that any endpoint which solely supports TLSv1.3 and has turned off other lower protocols will fail SSL Handshake.

One can pass in a singular secureSocketProtocol, but that doesn't support passing in a list for negotiation fallback.

I.e. We can do the following:

ClientConfiguration config = WebClient.getConfig(service);
final TLSClientParameters tlsClientParameters = ObjectUtils.firstNonNull(config.getHttpConduit().getTlsClientParameters(), new TLSClientParameters());
 tlsClientParameters.setSecureSocketProtocol("TLSv1.3");

However, this will not work with endpoints that do now support TLSv1.3; it works great for endpoints that only have TLSv1.3 though.

Solution:
Option 1(Ideal; recommended): Add TLSv1.3 to the list of protocols when creating the HttpClient through the builder.
Option 2: Allow setSecureSocketProtocol to take in an array of protocols.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

image-2023-10-30-17-30-19-307.png
31/Oct/23 00:30
144 kB
Sebastian Violet

Issue Links

is related to

CXF-8953 Better support of the HTTPS protocol versions used by client/server conduits

Resolved

links to

GitHub Pull Request #1498

Activity

People

Assignee:: Daniel Kulp

Reporter:: Sebastian Violet

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 31/Oct/23 00:29

Updated:: 02/Nov/23 11:58

Resolved:: 01/Nov/23 03:02