Discussion:
Problem with TLSv1.2
Jonathan Barbero
2018-05-30 20:58:52 UTC
Permalink
Hi,

I'm using HttpClient v4.5 over a WebSphere 7 trying to connect to a
TLSv1.2 endpoint.

HttpClient creation code snippet:

HttpHost proxy = new HttpHost("XX.XX.XX.XX", 8080);
DefaultProxyRoutePlanner routePlanner = new DefaultProxyRoutePlanner(
proxy);

SSLContext sslContext = SSLContexts.createDefault();
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(
sslContext, new String[] { "TLSv1.2" }, null,
NoopHostnameVerifier.INSTANCE);

CloseableHttpClient httpClient = HttpClients
.custom()
.setDefaultRequestConfig(
RequestConfig.custom()
.setConnectionRequestTimeout(connectionTimeout)
.setConnectTimeout(connectionTimeout)
.setSocketTimeout(requestTimeout)
.setCookieSpec(CookieSpecs.IGNORE_COOKIES)
.setRedirectsEnabled(false)
// .setMaxRedirects(3)
.build())
.setDefaultCredentialsProvider(getCredentialsProvider())
.setRoutePlanner(routePlanner).setSSLSocketFactory(sslsf)
.setConnectionManager(getConnectionManager()).build();

HttpClient usage:

proxyResponse = http*Client*
.execute(getTargetHost(servletRequest),
proxyRequest, connectionContext);


But it fails, and in the logs I see that it's trying to use TLSv1.


17:42:30.401 [WebContainer : 9] DEBUG o.a.h.c.protocol.RequestAddCookies -
CookieSpec selected: ignoreCookies
17:42:30.415 [WebContainer : 9] DEBUG o.a.h.c.protocol.RequestAuthCache -
Auth cache not set in the context
17:42:30.417 [WebContainer : 9] DEBUG
o.a.h.i.c.PoolingHttpClientConnectionManager - Connection request: [route:
{tls}->http://10.0.2.137:8080->https://test.online.org.veraz.com.ar:443][total
kept alive: 0; route allocated: 0 of 20; total allocated: 0 of 20]
17:42:30.465 [WebContainer : 9] DEBUG
o.a.h.i.c.PoolingHttpClientConnectionManager - Connection leased: [id:
0][route: {tls}->http://10.0.2.137:8080-
https://test.online.org.veraz.com.ar:443][total kept alive: 0; route
allocated: 1 of 20; total allocated: 1 of 20]
17:42:30.468 [WebContainer : 9] DEBUG o.a.h.impl.execchain.MainClientExec
- Opening connection {tls}->http://10.0.2.137:8080->
https://test.online.org.veraz.com.ar:443
17:42:30.471 [WebContainer : 9] DEBUG
o.a.h.i.c.DefaultHttpClientConnectionOperator - Connecting to /
10.0.2.137:8080
17:42:30.476 [WebContainer : 9] DEBUG
o.a.h.i.c.DefaultHttpClientConnectionOperator - Connection established
10.7.232.42:48025<->10.0.2.137:8080
17:42:30.480 [WebContainer : 9] DEBUG org.apache.http.headers -
http-outgoing-0 >> CONNECT test.online.org.veraz.com.ar:443 HTTP/1.1
17:42:30.481 [WebContainer : 9] DEBUG org.apache.http.headers -
http-outgoing-0 >> Host: test.online.org.veraz.com.ar
17:42:30.481 [WebContainer : 9] DEBUG org.apache.http.headers -
http-outgoing-0 >> User-Agent: Apache-HttpClient/4.5 (Java/1.6.0)
17:42:30.481 [WebContainer : 9] DEBUG org.apache.http.wire -
http-outgoing-0 >> "CONNECT test.online.org.veraz.com.ar:443
HTTP/1.1[\r][\n]"
17:42:30.481 [WebContainer : 9] DEBUG org.apache.http.wire -
http-outgoing-0 >> "Host: test.online.org.veraz.com.ar[\r][\n]"
17:42:30.481 [WebContainer : 9] DEBUG org.apache.http.wire -
http-outgoing-0 >> "User-Agent: Apache-HttpClient/4.5 (Java/1.6.0)[\r][\n]"
17:42:30.481 [WebContainer : 9] DEBUG org.apache.http.wire -
http-outgoing-0 >> "[\r][\n]"
17:42:30.690 [WebContainer : 9] DEBUG org.apache.http.wire -
http-outgoing-0 << "HTTP/1.1 200 Connection established[\r][\n]"
17:42:30.690 [WebContainer : 9] DEBUG org.apache.http.wire -
http-outgoing-0 << "[\r][\n]"
17:42:30.696 [WebContainer : 9] DEBUG org.apache.http.headers -
http-outgoing-0 << HTTP/1.1 200 Connection established
17:42:30.700 [WebContainer : 9] DEBUG o.a.h.impl.execchain.MainClientExec
- Tunnel to target created.
17:42:30.702 [WebContainer : 9] DEBUG o.a.h.c.s.SSLConnectionSocketFactory
- *Enabled protocols: [TLSv1]*
17:42:30.702 [WebContainer : 9] DEBUG o.a.h.c.s.SSLConnectionSocketFactory
- Enabled cipher suites:[SSL_RSA_WITH_RC4_128_MD5,
SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_AES_128_CBC_SHA,
SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_RC4_128_SHA, SSL_RSA_WITH_DES_CBC_SHA,
SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
17:42:30.702 [WebContainer : 9] DEBUG o.a.h.c.s.SSLConnectionSocketFactory
- Starting handshake
17:42:30.857 [WebContainer : 9] DEBUG
o.a.h.i.c.DefaultManagedHttpClientConnection - http-outgoing-0: Shutdown
connection
17:42:30.858 [WebContainer : 9] DEBUG o.a.h.impl.execchain.MainClientExec
- Connection discarded
17:42:30.858 [WebContainer : 9] DEBUG
o.a.h.i.c.DefaultManagedHttpClientConnection - http-outgoing-0: Close
connection
17:42:30.858 [WebContainer : 9] DEBUG
o.a.h.i.c.PoolingHttpClientConnectionManager - Connection released: [id:
0][route: {tls}->http://10.0.2.137:8080-
https://test.online.org.veraz.com.ar:443][total kept alive: 0; route
allocated: 0 of 20; total allocated: 0 of 20]

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at com.ibm.jsse2.o.a(o.java:22)
at com.ibm.jsse2.o.a(o.java:34)
at com.ibm.jsse2.SSLSocketImpl.b(SSLSocketImpl.java:378)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:479)
at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:437)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:142)
at
com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:686)
at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
at
org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.upgrade(DefaultHttpClientConnectionOperator.java:185)
at
org.apache.http.impl.conn.PoolingHttpClientConnectionManager.upgrade(PoolingHttpClientConnectionManager.java:369)
at
org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:415)
at
org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at
org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
at
org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
at
org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at
org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:71)
at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
at
ar.com.bna.fu.proxy.proxy.ProxyServlet.service(ProxyServlet.java:358)


What am I doing wrong?

Thanks in advance,
Jonathan.
Oleg Kalnichevski
2018-05-31 09:17:16 UTC
Permalink
Hi,
 I'm using HttpClient v4.5 over a WebSphere 7 trying to connect to a
TLSv1.2 endpoint.
                HttpHost proxy = new HttpHost("XX.XX.XX.XX", 8080);
DefaultProxyRoutePlanner routePlanner = new DefaultProxyRoutePlanner(
proxy);
SSLContext sslContext = SSLContexts.createDefault();
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(
sslContext, new String[] { "TLSv1.2" }, null,
NoopHostnameVerifier.INSTANCE);
CloseableHttpClient httpClient = HttpClients
.custom()
.setDefaultRequestConfig(
RequestConfig.custom()
.setConnectionRequestTimeout(connectionTimeout)
.setConnectTimeout(connectionTimeout)
.setSocketTimeout(requestTimeout)
.setCookieSpec(CookieSpecs.IGNORE_COOKIES)
.setRedirectsEnabled(false)
// .setMaxRedirects(3)
.build())
.setDefaultCredentialsProvider(getCredentialsProvider())
.setRoutePlanner(routePlanner).setSSLSocketFactory(sslsf)
.setConnectionManager(getConnectionManager()).build();
Jonathan

The parameter set with #setSSLSocketFactory has no effect because it
gets overwritten by #setConnectionManager. Either configure the
connection manager to use the socket factory in question or let
HttpClientBuilder create a connection manager internally.

Oleg
                  proxyResponse = http*Client*
.execute(getTargetHost(servletRequest),
proxyRequest, connectionContext);
But it fails, and in the logs I see that it's trying to use TLSv1.
17:42:30.401 [WebContainer : 9]
DEBUG  o.a.h.c.protocol.RequestAddCookies -
CookieSpec selected: ignoreCookies
17:42:30.415 [WebContainer : 9]
DEBUG  o.a.h.c.protocol.RequestAuthCache -
Auth cache not set in the context
17:42:30.417 [WebContainer : 9] DEBUG
{tls}->http://10.0.2.137:8080->https://test.online.org.veraz.com.ar:4
43][total
kept alive: 0; route allocated: 0 of 20; total allocated: 0 of 20]
17:42:30.465 [WebContainer : 9] DEBUG
0][route: {tls}->http://10.0.2.137:8080-
https://test.online.org.veraz.com.ar:443][total kept alive: 0; route
allocated: 1 of 20; total allocated: 1 of 20]
17:42:30.468 [WebContainer : 9]
DEBUG  o.a.h.impl.execchain.MainClientExec
- Opening connection {tls}->http://10.0.2.137:8080->;
https://test.online.org.veraz.com.ar:443
17:42:30.471 [WebContainer : 9] DEBUG
o.a.h.i.c.DefaultHttpClientConnectionOperator - Connecting to /
10.0.2.137:8080
17:42:30.476 [WebContainer : 9] DEBUG
o.a.h.i.c.DefaultHttpClientConnectionOperator - Connection
established
10.7.232.42:48025<->10.0.2.137:8080
17:42:30.480 [WebContainer : 9] DEBUG  org.apache.http.headers -
http-outgoing-0 >> CONNECT test.online.org.veraz.com.ar:443 HTTP/1.1
17:42:30.481 [WebContainer : 9] DEBUG  org.apache.http.headers -
http-outgoing-0 >> Host: test.online.org.veraz.com.ar
17:42:30.481 [WebContainer : 9] DEBUG  org.apache.http.headers -
http-outgoing-0 >> User-Agent: Apache-HttpClient/4.5 (Java/1.6.0)
17:42:30.481 [WebContainer : 9] DEBUG  org.apache.http.wire -
http-outgoing-0 >> "CONNECT test.online.org.veraz.com.ar:443
HTTP/1.1[\r][\n]"
17:42:30.481 [WebContainer : 9] DEBUG  org.apache.http.wire -
http-outgoing-0 >> "Host: test.online.org.veraz.com.ar[\r][\n]"
17:42:30.481 [WebContainer : 9] DEBUG  org.apache.http.wire -
http-outgoing-0 >> "User-Agent: Apache-HttpClient/4.5
(Java/1.6.0)[\r][\n]"
17:42:30.481 [WebContainer : 9] DEBUG  org.apache.http.wire -
http-outgoing-0 >> "[\r][\n]"
17:42:30.690 [WebContainer : 9] DEBUG  org.apache.http.wire -
http-outgoing-0 << "HTTP/1.1 200 Connection established[\r][\n]"
17:42:30.690 [WebContainer : 9] DEBUG  org.apache.http.wire -
http-outgoing-0 << "[\r][\n]"
17:42:30.696 [WebContainer : 9] DEBUG  org.apache.http.headers -
http-outgoing-0 << HTTP/1.1 200 Connection established
17:42:30.700 [WebContainer : 9]
DEBUG  o.a.h.impl.execchain.MainClientExec
- Tunnel to target created.
17:42:30.702 [WebContainer : 9]
DEBUG  o.a.h.c.s.SSLConnectionSocketFactory
- *Enabled protocols: [TLSv1]*
17:42:30.702 [WebContainer : 9]
DEBUG  o.a.h.c.s.SSLConnectionSocketFactory
- Enabled cipher suites:[SSL_RSA_WITH_RC4_128_MD5,
SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_AES_128_CBC_SHA,
SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_RC4_128_SHA, SSL_RSA_WITH_DES_CBC_SHA,
SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
17:42:30.702 [WebContainer : 9]
DEBUG  o.a.h.c.s.SSLConnectionSocketFactory
- Starting handshake
17:42:30.857 [WebContainer : 9] DEBUG
o.a.h.i.c.DefaultManagedHttpClientConnection - http-outgoing-0: Shutdown
connection
17:42:30.858 [WebContainer : 9]
DEBUG  o.a.h.impl.execchain.MainClientExec
- Connection discarded
17:42:30.858 [WebContainer : 9] DEBUG
o.a.h.i.c.DefaultManagedHttpClientConnection - http-outgoing-0: Close
connection
17:42:30.858 [WebContainer : 9] DEBUG
0][route: {tls}->http://10.0.2.137:8080-
https://test.online.org.veraz.com.ar:443][total kept alive: 0; route
allocated: 0 of 20; total allocated: 0 of 20]
handshake_failure
        at com.ibm.jsse2.o.a(o.java:22)
        at com.ibm.jsse2.o.a(o.java:34)
        at com.ibm.jsse2.SSLSocketImpl.b(SSLSocketImpl.java:378)
        at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:479)
        at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:437)
        at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:142)
        at
com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:686)
        at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSock
et(SSLConnectionSocketFactory.java:394)
        at
org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.upgrade
(DefaultHttpClientConnectionOperator.java:185)
        at
org.apache.http.impl.conn.PoolingHttpClientConnectionManager.upgrade(
PoolingHttpClientConnectionManager.java:369)
        at
org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClie
ntExec.java:415)
        at
org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.
java:236)
        at
org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java
:184)
        at
org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
        at
org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java
:110)
        at
org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttp
Client.java:184)
        at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttp
Client.java:71)
        at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttp
Client.java:55)
        at
ar.com.bna.fu.proxy.proxy.ProxyServlet.service(ProxyServlet.java:358)
What am I doing wrong?
Thanks in advance,
Jonathan.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-***@hc.apache.org
For additional commands, e-mail: httpclient-users-***@hc.apache.org
Loading...