Uploaded image for project: 'HttpComponents HttpClient'
  1. HttpComponents HttpClient
  2. HTTPCLIENT-1969

Filter out weak TLS cipher suites in Apache HttpClient

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 4.5.7
    • Fix Version/s: 4.5.9, 5.0 Beta4
    • Component/s: HttpClient (classic)
    • Labels:
      None

      Description

      SSLConnectionSocketFactory filters out insecure SSL protocols if a used didn't explicitly enable them

      https://github.com/apache/httpcomponents-client/blob/4.5.x/httpclient/src/main/java/org/apache/http/conn/ssl/SSLConnectionSocketFactory.java#L386

      But it doesn't filter out insecure cipher suites which use weak algorithms such as SHA-1, RC4, DES, 3DES, etc. In fact, insecure cipher suites may be blocked by TLS implementation like JSSE if a user uses modern versions of JDK. But if the user doesn't upgrade JDK or the JDK is not supported anymore by the vendor, then it insecure cipher suites may be used for TLS connections. Implementing such a filter for weak TLS cipher suites may be an additional defense-in-depth measure which may help users to use HttpClient in a safe way.

       

      I am attaching a patch (draft) for SSLConnectionSocketFactory which adds such a filtering mechanism. If no objections, I'll finalize it and create a pull request.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              asmotrakov Artem Smotrakov
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 4h 50m
                4h 50m