Uploaded image for project: 'HttpComponents HttpClient'
  1. HttpComponents HttpClient
  2. HTTPCLIENT-1967

HttpClient does not appears to support TLSv1.3 well

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: 4.5.3, 4.5.6
    • Fix Version/s: None
    • Component/s: HttpClient (Windows)
    • Labels:
      None
    • Environment:
      Windows

      Description

      1. Set up a clean Apache Tomcat server, in my case I downloaded 8.5.37.
      2. Setup and change the server.xml to setup HTTPS/TLS 1.3 connector, I have this section:

          <Connector port="8443" protocol="HTTP/1.1" scheme="https" secure="true"
                     maxThreads="150" SSLEnabled="true" >
              <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
              <SSLHostConfig ciphers="TLS_AES_256_GCM_SHA384" protocols="TLSv1.3" sslProtocol="TLS">
                  <Certificate certificateKeystoreFile="conf/.keystore" certificateKeystoreType="jks"/>
              </SSLHostConfig>
          </Connector>

      3. Connect from Chrome or Firefox, able to verify browser can connect to the server with TLSv1.3 cipher suites.

      4. Use a test program, such as the attached.  Update the URL to point to the TLS1.3 supported server. Run the program, Notice the behavior.

      The stacktrace of the Exception:

      javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
          at java.base/sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:526)
          at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:464)
          at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:397)
          at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
          at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
          at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
          at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:394)
          at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
          at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
          at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
          at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
          at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
          at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
          at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
          at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
          at TestHttpClient.makeRequest(TestHttpClient.java:33)
          at TestHttpClient.main(TestHttpClient.java:18)

       

      (Note, I am using java 11 for both the server and the client where TLSv1.3 is supported)

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              fuminzhou@crd.com FUMIN
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: