Details
Description
HttpClientHTTPConduit does't have support for TLSv1.3 out of the box. Look at line #253 here.
This means that any endpoint which solely supports TLSv1.3 and has turned off other lower protocols will fail SSL Handshake.
One can pass in a singular secureSocketProtocol, but that doesn't support passing in a list for negotiation fallback.
I.e. We can do the following:
ClientConfiguration config = WebClient.getConfig(service); final TLSClientParameters tlsClientParameters = ObjectUtils.firstNonNull(config.getHttpConduit().getTlsClientParameters(), new TLSClientParameters()); tlsClientParameters.setSecureSocketProtocol("TLSv1.3");
However, this will not work with endpoints that do now support TLSv1.3; it works great for endpoints that only have TLSv1.3 though.
Solution:
Option 1(Ideal; recommended): Add TLSv1.3 to the list of protocols when creating the HttpClient through the builder.
Option 2: Allow setSecureSocketProtocol to take in an array of protocols.
Attachments
Attachments
Issue Links
- is related to
-
CXF-8953 Better support of the HTTPS protocol versions used by client/server conduits
- Resolved
- links to