0

I looked at the Apache HttpClient 3.1 documentation at http://hc.apache.org/httpclient-3.x/sslguide.html, and know that it comes out of box with HTTP over SSL. I'm trying to configure the client so that it uses TLS for servers that no longer support SSL but still maintain compatibility with ones that use SSL. Has anyone done this? Is it even possible?

If it helps, a solution to configure the client to use TLS is presented here: How to force Commons HTTPClient 3.1 to use TLS 1.2 only for HTTPS?

I am not able to upgrade to a more recent version of HttpClient at this time.

spinyBabbler
  • 392
  • 5
  • 19
  • Did you find any solution about this ? – Gerti Ozuni Nov 11 '18 at 18:48
  • 1
    As stated by the documentation you're referring to, Apache HttpClient 3.1 relies on Java JSSE and your SSL/TLS behavior will be inherited by your Java version. SSL 3.0 and its successors (TLS) were designed to provide as much compatibility as possible and you probably have nothing to do but choose the adequate Java version. Read the Java release notes to see what is supported with which version, if you can't find I'll try to find this info. – Eugène Adell Nov 11 '18 at 20:24
  • 1
    Thank you @EugèneAdell. I wasn't sure if that's what it meant. Yes, then I believe I don't need to do anything special. I found the SSL/TLS versions supported here: https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https – spinyBabbler Nov 12 '18 at 13:47
  • 1
    However, for the sake of completeness of answer for anyone who looks at this. It seems that SSLv3.0 was disabled by default from Jan 2015 onwards because of security vulnerabilities as stated here: http://www.ateam-oracle.com/tls-and-java/ – spinyBabbler Nov 12 '18 at 13:53
  • @ChiefNish good job. You can also get some problems when using (or not) some TLS extensions. Considering the SSL/TLS version is not always enough, but it's a good start. – Eugène Adell Nov 12 '18 at 14:56

0 Answers0