HttpClientBuilder is using TLSv1.2 instead of TLSv1

Question

Following is the code for creating Httpclient.

        client =
            HttpClients.custom().setConnectionManager(connManager).setDefaultCredentialsProvider(provider)
                .setDefaultRequestConfig(config).setSslcontext(SSLContexts.custom().useProtocol("TLSv1").build()).build();

But, whenever resttemplate based on this client intiates a SSL handshake, it happens in TLSv1.2. Following is SSL debug log on client side.

*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1431720225 bytes = { 14, 133, 24, 60, 189, 198, 176, 35, 186, 71, 229, 4, 43, 213, 142, 236, 141, 14, 104, 83, 202, 72, 243, 74, 244, 170, 247, 15 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [host_name: dev.*****.com]
***
main, WRITE: TLSv1.2 Handshake, length = 216
main, received EOFException: error
main, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
main, SEND TLSv1 ALERT:  fatal, description = handshake_failure
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket()

The server is running on JDK5 and TLSv1.2 is not possible.

Can anyone please shed light on why useProtocol("TLSv1") is being ingnored?

Similar question has already been asked in https://stackoverflow.com/questions/28619942/how-to-force-httpclient-4-3-to-use-the-tlsv1-and-not-the-tlsv1-2, but not answered.

Thanks.

Answer 1

Not beeing a Java expert, but this is what I get from the documentation:

• "TLSv1" is the protocol group which includes TLS 1.0, TLS 1.1 and TLS 1.2.
• to restrict yourself to only TLS 1.0 you have to disable TLS 1.1 and TLS 1.2, see https://blogs.oracle.com/java-platform-group/entry/java_8_will_use_tls

Edit: SSLv23 does not seem to be supported by Java Apart from that try to use SSLv23 instead of TLSv1 for handshake. If the server does not support this most compatible handshake it is just buggy.