[HTTPCLIENT-1969] Filter out weak TLS cipher suites in Apache HttpClient - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 4.5.7
Fix Version/s: 4.5.9, 5.0 Beta4
Component/s: HttpClient (classic)
Labels:
None

Description

SSLConnectionSocketFactory filters out insecure SSL protocols if a used didn't explicitly enable them

https://github.com/apache/httpcomponents-client/blob/4.5.x/httpclient/src/main/java/org/apache/http/conn/ssl/SSLConnectionSocketFactory.java#L386

But it doesn't filter out insecure cipher suites which use weak algorithms such as SHA-1, RC4, DES, 3DES, etc. In fact, insecure cipher suites may be blocked by TLS implementation like JSSE if a user uses modern versions of JDK. But if the user doesn't upgrade JDK or the JDK is not supported anymore by the vendor, then it insecure cipher suites may be used for TLS connections. Implementing such a filter for weak TLS cipher suites may be an additional defense-in-depth measure which may help users to use HttpClient in a safe way.

I am attaching a patch (draft) for SSLConnectionSocketFactory which adds such a filtering mechanism. If no objections, I'll finalize it and create a pull request.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

SSLConnectionSocketFactory.java.patch
22/Feb/19 16:13
3 kB
Artem Smotrakov

Issue Links

links to

GitHub Pull Request #140

GitHub Pull Request #142

Activity

People

Assignee:: Unassigned

Reporter:: Artem Smotrakov

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 22/Feb/19 16:14

Updated:: 04/Apr/19 07:04

Resolved:: 04/Apr/19 07:04

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

4h 50m