Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 4.1.1
    • Fix Version/s: 4.2 Alpha1
    • Component/s: HttpClient
    • Labels:
      None

      Description

      In HttpClient 4.0.3, it was easy to subclass SSLSocketFactory, and set SSLSocket options (e.g. setEnabledCipherSuites() or setSSLParameterse()) before the SSL handshake happened. This way it was possible to e.g. restrict cipher suites on per-HttpClient basis (instead of JVM-wide system properties).

      In HttpClient 4.1.1, the design has changed quite a lot, and copy-pasting of several long methods is needed.

      Ideally, SSLSocketFactory should support applying SSLParameters to the socket. However, SSLParameters is Java 1.6, so if we want to keep compatibility with 1.5, that's out.

      However, it'd be nice to at least have a method (e.g. "protected SSLSocket prepareSSLSocket(SSLSocket s)") that would get called immediately after a socket is retrieved from the socket factory. The default implementation could be just "return s;", but subclasses could do something like s.setEnabledCipherSuites() s.setSSLParameters().

        Activity

        Oleg Kalnichevski made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Oleg Kalnichevski made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        Hide
        Oleg Kalnichevski added a comment -

        Patch checked in. Many thanks, Pasi, for contributing it.

        Oleg

        Show
        Oleg Kalnichevski added a comment - Patch checked in. Many thanks, Pasi, for contributing it. Oleg
        Pasi Eronen made changes -
        Hide
        Pasi Eronen added a comment -

        Patch against SVN trunk attached

        Show
        Pasi Eronen added a comment - Patch against SVN trunk attached
        Oleg Kalnichevski made changes -
        Field Original Value New Value
        Fix Version/s 4.2 Alpha1 [ 12316315 ]
        Hide
        Oleg Kalnichevski added a comment -

        Fair enough. Feel free to submit a patch with the changes you are proposing.

        Oleg

        Show
        Oleg Kalnichevski added a comment - Fair enough. Feel free to submit a patch with the changes you are proposing. Oleg
        Hide
        Pasi Eronen added a comment -

        Overriding #createSocket(HttpParams) would be simple, but currently SSLSocketFactory has three other places where this.socketfactory.createSocket() is called, and all of them would need a call to SSLSocket#setEnabledCipherSuites() to cover all code paths...

        Show
        Pasi Eronen added a comment - Overriding #createSocket(HttpParams) would be simple, but currently SSLSocketFactory has three other places where this.socketfactory.createSocket() is called, and all of them would need a call to SSLSocket#setEnabledCipherSuites() to cover all code paths...
        Hide
        Oleg Kalnichevski added a comment -

        Pasi

        I really do not mind adding #prepareSSLSocket(SSLSocket) protected method but why overriding #createSocket(HttpParams) would not be enough? I believe one can call SSLSocket#setEnabledCipherSuites() on an unconnected SSL socket.

        Oleg

        Show
        Oleg Kalnichevski added a comment - Pasi I really do not mind adding #prepareSSLSocket(SSLSocket) protected method but why overriding #createSocket(HttpParams) would not be enough? I believe one can call SSLSocket#setEnabledCipherSuites() on an unconnected SSL socket. Oleg
        Pasi Eronen created issue -

          People

          • Assignee:
            Unassigned
            Reporter:
            Pasi Eronen
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development