How to get Used protocol SSL or TLS of which version

Question

We are using the below code to contruct HTTP client socket factory :

    SSLContext sslContext = new SSLContextBuilder().build();     
    sslContext.init(null, getTrustAllCertsManager(), new java.security.SecureRandom());
    final SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslContext, SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
    sslsf.createSocket(null);

Version of HTTPClient is 4.5.1 . As I am very new to this, and one of our client is migrating to TLSv1.2 and will not support TLSv1.0, how can I ensure that the above code will support TLSv1.1, TLSv1.2. If I go through the code default protocol is TLS and we are not passing any such parameter like TLSv1.1 or TLSv1.2. From where these protocol things are driven. And if I need to change in code to support TLSv1.1,TLSv1.2, and stop support TLSv1.0, what all changes I need to do in my code. Thanks.

For java 8 up, do nothing (default does 1.2). For free versions of Oracle java 7, see https://stackoverflow.com/questions/28391798/how-to-set-tls-version-on-apache-httpclient https://stackoverflow.com/questions/43772426/java-apache-httpclient-tlsv1-2-openjdk-7 . For paid versions of java 7 or 6, or corresponding (late) OpenJDK versions, check release notes or post exact version. — dave_thompson_085, May 10 '18 at 17:25

score 3 · Answer 1 · answered May 17 '18 at 05:31

In addition to answer suggested by oleg, we can add " -Djavax.net.debug=all" in java_opts , that will result in printing all the socket logs along with protocol version. It will print lot of details within which you can find out the relevent one's, like in my case, I found the protocol details with the below logs.

READ: TLSv1.1 Handshake
WRITE: TLSv1.1 Handshake

score 2 · Answer 2 · answered May 11 '18 at 10:57

HttpClient context logging will provide a fair amount of SSL session details

[DEBUG] MainClientExec - Opening connection {s}->https://httpbin.org:443
[DEBUG] DefaultHttpClientConnectionOperator - Connecting to httpbin.org/52.1.117.85:443
[DEBUG] SSLConnectionSocketFactory - Connecting socket to httpbin.org/52.1.117.85:443 with timeout 0
[DEBUG] SSLConnectionSocketFactory - Enabled protocols: [TLSv1, TLSv1.1, TLSv1.2]
[DEBUG] SSLConnectionSocketFactory - Enabled cipher suites:[TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
[DEBUG] SSLConnectionSocketFactory - Starting handshake
[DEBUG] SSLConnectionSocketFactory - Secure session established
[DEBUG] SSLConnectionSocketFactory -  negotiated protocol: TLSv1.2
[DEBUG] SSLConnectionSocketFactory -  negotiated cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
[DEBUG] SSLConnectionSocketFactory -  peer principal: CN=httpbin.org
[DEBUG] SSLConnectionSocketFactory -  peer alternative names: [httpbin.org, www.httpbin.org]
[DEBUG] SSLConnectionSocketFactory -  issuer principal: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
[DEBUG] DefaultHttpClientConnectionOperator - Connection established 192.168.43.64:58742<->52.1.117.85:443

Please also note that as of version 4.4 HttpClient disables SSLv3 and older SSL protocol versions by default.

Thanks @oleg.. Additionally I found another way to get the details, which is to use " -Djavax.net.debug=all" in java opts. It will print all socket and client server handshake details. — Bhaskar, May 17 '18 at 05:28
That certainly works, but full SSL session debug mode tends to produce a log of output that some might too difficult to parse. HttpClient provides just the most important bits about SSL session — ok2c, May 17 '18 at 08:49

score 0 · Answer 3 · answered Jan 05 '22 at 08:42

To debug the SSL handshake and show the TLS version use the "javax.net.debug" property to be set to all.

For example one can check the logs by adding this property on main method before making any http call. All information will be printed on console.

 public static void main(String[] args) {
        System.setProperty("javax.net.debug", "all");
        anyHttpClient.function(); // here anyHttpClinet can be restTemplate or any http client
}

After running the main method you can see the printed logs like below.

How to get Used protocol SSL or TLS of which version

3 Answers3