如何在 apache HttpClient 上设置 TLS 版本
How to set TLS version on apache HttpClient
如何更改我的 HttpClient 上支持的 TLS 版本?
我在做:
SSLContext sslContext = SSLContext.getInstance("TLSv1.1");
sslContext.init(
keymanagers.toArray(new KeyManager[keymanagers.size()]),
null,
null);
SSLSocketFactory socketFactory = new SSLSocketFactory(sslContext, new String[]{"TLSv1.1"}, null, null);
Scheme scheme = new Scheme("https", 443, socketFactory);
SchemeRegistry schemeRegistry = new SchemeRegistry();
schemeRegistry.register(scheme);
BasicClientConnectionManager cm = new BasicClientConnectionManager(schemeRegistry);
httpClient = new DefaultHttpClient(cm);
但是当我检查创建的套接字时,它仍然说支持的协议是 TLSv1.0、TLSv1.1 和 TLSv1.2。
实际上我只是希望它停止使用 TLSv1.2,对于这个特定的 HttpClient。
解决方法是:
SSLContext sslContext = SSLContexts.custom()
.useTLS()
.build();
SSLConnectionSocketFactory f = new SSLConnectionSocketFactory(
sslContext,
new String[]{"TLSv1", "TLSv1.1"},
null,
BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
httpClient = HttpClients.custom()
.setSSLSocketFactory(f)
.build();
不过这需要 org.apache.httpcomponents.httpclient 4.3.x。
这就是我在 httpClient 4.5 上运行它的方式(根据 Olive Tree 的要求):
CredentialsProvider credsProvider = new BasicCredentialsProvider();
credsProvider.setCredentials(
new AuthScope(AuthScope.ANY_HOST, 443),
new UsernamePasswordCredentials(this.user, this.password));
SSLContext sslContext = SSLContexts.createDefault();
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslContext,
new String[]{"TLSv1", "TLSv1.1"},
null,
new NoopHostnameVerifier());
CloseableHttpClient httpclient = HttpClients.custom()
.setDefaultCredentialsProvider(credsProvider)
.setSSLSocketFactory(sslsf)
.build();
return httpclient;
如果您使用的是 httpclient 4.2,那么您需要编写一些额外的代码。我希望能够自定义 "TLS enabled protocols"(例如 TLSv1.1,而不是 TLSv1 和 TLSv1.2)以及 cipher suites.
public class CustomizedSSLSocketFactory
extends SSLSocketFactory
{
private String[] _tlsProtocols;
private String[] _tlsCipherSuites;
public CustomizedSSLSocketFactory(SSLContext sslContext,
X509HostnameVerifier hostnameVerifier,
String[] tlsProtocols,
String[] cipherSuites)
{
super(sslContext, hostnameVerifier);
if(null != tlsProtocols)
_tlsProtocols = tlsProtocols;
if(null != cipherSuites)
_tlsCipherSuites = cipherSuites;
}
@Override
protected void prepareSocket(SSLSocket socket)
{
// Enforce client-specified protocols or cipher suites
if(null != _tlsProtocols)
socket.setEnabledProtocols(_tlsProtocols);
if(null != _tlsCipherSuites)
socket.setEnabledCipherSuites(_tlsCipherSuites);
}
}
然后:
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, getTrustManagers(), new SecureRandom());
// NOTE: not javax.net.SSLSocketFactory
SSLSocketFactory sf = new CustomizedSSLSocketFactory(sslContext,
null,
[TLS protocols],
[TLS cipher suites]);
Scheme httpsScheme = new Scheme("https", 443, sf);
SchemeRegistry schemeRegistry = new SchemeRegistry();
schemeRegistry.register(httpsScheme);
ConnectionManager cm = new BasicClientConnectionManager(schemeRegistry);
HttpClient client = new DefaultHttpClient(cmgr);
...
您也许可以使用稍微少一些的代码来完成此操作,但我主要 copy/pasted 来自自定义组件,在该组件中以上述方式构建对象是有意义的。
如果你有 javax.net.ssl.SSLSocket class reference in your code, you can set the enabled TLS protocols by a call to SSLSocket.setEnabledProtocols():
import javax.net.ssl.*;
import java.net.*;
...
Socket socket = SSLSocketFactory.getDefault().createSocket();
...
if (socket instanceof SSLSocket) {
// "TLSv1.0" gives IllegalArgumentException in Java 8
String[] protos = {"TLSv1.2", "TLSv1.1"}
((SSLSocket)socket).setEnabledProtocols(protos);
}
HttpClient-4.5,使用TLSv1.2,您必须这样编码:
//Set the https use TLSv1.2
private static Registry<ConnectionSocketFactory> getRegistry() throws KeyManagementException, NoSuchAlgorithmException {
SSLContext sslContext = SSLContexts.custom().build();
SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslContext,
new String[]{"TLSv1.2"}, null, SSLConnectionSocketFactory.getDefaultHostnameVerifier());
return RegistryBuilder.<ConnectionSocketFactory>create()
.register("http", PlainConnectionSocketFactory.getSocketFactory())
.register("https", sslConnectionSocketFactory)
.build();
}
public static void main(String... args) {
try {
//Set the https use TLSv1.2
PoolingHttpClientConnectionManager clientConnectionManager = new PoolingHttpClientConnectionManager(getRegistry());
clientConnectionManager.setMaxTotal(100);
clientConnectionManager.setDefaultMaxPerRoute(20);
HttpClient client = HttpClients.custom().setConnectionManager(clientConnectionManager).build();
//Then you can do : client.execute(HttpGet or HttpPost);
} catch (KeyManagementException | NoSuchAlgorithmException e) {
e.printStackTrace();
}
}
对于使用 TLSv1.2 的 HttpClient-4.1,代码将如下所示:
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
sslContext.init(null, null, new SecureRandom());
SSLSocketFactory sf = new SSLSocketFactory(sslContext);
Scheme httpsScheme = new Scheme("https", 443, sf);
SchemeRegistry schemeRegistry = new SchemeRegistry();
schemeRegistry.register(httpsScheme);
ClientConnectionManager cm = new SingleClientConnManager(schemeRegistry);
HttpClient client = new DefaultHttpClient(cm);
// Use client to make the connection and get the results.
您只需在服务器上指定以下 属性 -Dhttps.protocols=TLSv1.1,TLSv1.2 即可配置 JVM 以指定在所有 https 连接期间应使用哪个 TLS 协议版本来自客户
在 HttpClient 4.5.x 中使用 HttpClientBuilder 和自定义 HttpClientConnectionManager,默认值为 HttpClientBuilder:
SSLConnectionSocketFactory sslConnectionSocketFactory =
new SSLConnectionSocketFactory(SSLContexts.createDefault(),
new String[] { "TLSv1.2" },
null,
SSLConnectionSocketFactory.getDefaultHostnameVerifier());
PoolingHttpClientConnectionManager poolingHttpClientConnectionManager =
new PoolingHttpClientConnectionManager(
RegistryBuilder.<ConnectionSocketFactory> create()
.register("http",
PlainConnectionSocketFactory.getSocketFactory())
.register("https",
sslConnectionSocketFactory)
.build());
// Customize the connection pool
CloseableHttpClient httpClient = HttpClientBuilder.create()
.setConnectionManager(poolingHttpClientConnectionManager)
.build()
没有自定义 HttpClientConnectionManager :
SSLConnectionSocketFactory sslConnectionSocketFactory =
new SSLConnectionSocketFactory(SSLContexts.createDefault(),
new String[] { "TLSv1.2" },
null,
SSLConnectionSocketFactory.getDefaultHostnameVerifier());
CloseableHttpClient httpClient = HttpClientBuilder.create()
.setSSLSocketFactory(sslConnectionSocketFactory)
.build()
使用 -Dhttps.protocols=TLSv1.2 JVM 参数对我不起作用。有效的是以下代码
RequestConfig.Builder requestBuilder = RequestConfig.custom();
//other configuration, for example
requestBuilder = requestBuilder.setConnectTimeout(1000);
SSLContext sslContext = SSLContextBuilder.create().useProtocol("TLSv1.2").build();
HttpClientBuilder builder = HttpClientBuilder.create();
builder.setDefaultRequestConfig(requestBuilder.build());
builder.setProxy(new HttpHost("your.proxy.com", 3333)); //if you have proxy
builder.setSSLContext(sslContext);
HttpClient client = builder.build();
使用以下 JVM 参数进行验证
-Djavax.net.debug=all
由于这只隐藏在评论中,很难找到解决方案:
您可以使用java -Dhttps.protocols=TLSv1,TLSv1.1,但您还需要使用useSystemProperties()
client = HttpClientBuilder.create().useSystemProperties();
我们现在在我们的系统中使用这个设置,因为这使我们能够仅为代码的某些使用设置它。
在我们的例子中,我们仍然有一些 Java 7 运行 和一个 API 端点不允许 TLSv1,
所以我们使用 java -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 来启用当前的 TLS 版本。
感谢@jebeaudet 指出这个方向。
如何更改我的 HttpClient 上支持的 TLS 版本?
我在做:
SSLContext sslContext = SSLContext.getInstance("TLSv1.1");
sslContext.init(
keymanagers.toArray(new KeyManager[keymanagers.size()]),
null,
null);
SSLSocketFactory socketFactory = new SSLSocketFactory(sslContext, new String[]{"TLSv1.1"}, null, null);
Scheme scheme = new Scheme("https", 443, socketFactory);
SchemeRegistry schemeRegistry = new SchemeRegistry();
schemeRegistry.register(scheme);
BasicClientConnectionManager cm = new BasicClientConnectionManager(schemeRegistry);
httpClient = new DefaultHttpClient(cm);
但是当我检查创建的套接字时,它仍然说支持的协议是 TLSv1.0、TLSv1.1 和 TLSv1.2。
实际上我只是希望它停止使用 TLSv1.2,对于这个特定的 HttpClient。
解决方法是:
SSLContext sslContext = SSLContexts.custom()
.useTLS()
.build();
SSLConnectionSocketFactory f = new SSLConnectionSocketFactory(
sslContext,
new String[]{"TLSv1", "TLSv1.1"},
null,
BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
httpClient = HttpClients.custom()
.setSSLSocketFactory(f)
.build();
不过这需要 org.apache.httpcomponents.httpclient 4.3.x。
这就是我在 httpClient 4.5 上运行它的方式(根据 Olive Tree 的要求):
CredentialsProvider credsProvider = new BasicCredentialsProvider();
credsProvider.setCredentials(
new AuthScope(AuthScope.ANY_HOST, 443),
new UsernamePasswordCredentials(this.user, this.password));
SSLContext sslContext = SSLContexts.createDefault();
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslContext,
new String[]{"TLSv1", "TLSv1.1"},
null,
new NoopHostnameVerifier());
CloseableHttpClient httpclient = HttpClients.custom()
.setDefaultCredentialsProvider(credsProvider)
.setSSLSocketFactory(sslsf)
.build();
return httpclient;
如果您使用的是 httpclient 4.2,那么您需要编写一些额外的代码。我希望能够自定义 "TLS enabled protocols"(例如 TLSv1.1,而不是 TLSv1 和 TLSv1.2)以及 cipher suites.
public class CustomizedSSLSocketFactory
extends SSLSocketFactory
{
private String[] _tlsProtocols;
private String[] _tlsCipherSuites;
public CustomizedSSLSocketFactory(SSLContext sslContext,
X509HostnameVerifier hostnameVerifier,
String[] tlsProtocols,
String[] cipherSuites)
{
super(sslContext, hostnameVerifier);
if(null != tlsProtocols)
_tlsProtocols = tlsProtocols;
if(null != cipherSuites)
_tlsCipherSuites = cipherSuites;
}
@Override
protected void prepareSocket(SSLSocket socket)
{
// Enforce client-specified protocols or cipher suites
if(null != _tlsProtocols)
socket.setEnabledProtocols(_tlsProtocols);
if(null != _tlsCipherSuites)
socket.setEnabledCipherSuites(_tlsCipherSuites);
}
}
然后:
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, getTrustManagers(), new SecureRandom());
// NOTE: not javax.net.SSLSocketFactory
SSLSocketFactory sf = new CustomizedSSLSocketFactory(sslContext,
null,
[TLS protocols],
[TLS cipher suites]);
Scheme httpsScheme = new Scheme("https", 443, sf);
SchemeRegistry schemeRegistry = new SchemeRegistry();
schemeRegistry.register(httpsScheme);
ConnectionManager cm = new BasicClientConnectionManager(schemeRegistry);
HttpClient client = new DefaultHttpClient(cmgr);
...
您也许可以使用稍微少一些的代码来完成此操作,但我主要 copy/pasted 来自自定义组件,在该组件中以上述方式构建对象是有意义的。
如果你有 javax.net.ssl.SSLSocket class reference in your code, you can set the enabled TLS protocols by a call to SSLSocket.setEnabledProtocols():
import javax.net.ssl.*;
import java.net.*;
...
Socket socket = SSLSocketFactory.getDefault().createSocket();
...
if (socket instanceof SSLSocket) {
// "TLSv1.0" gives IllegalArgumentException in Java 8
String[] protos = {"TLSv1.2", "TLSv1.1"}
((SSLSocket)socket).setEnabledProtocols(protos);
}
HttpClient-4.5,使用TLSv1.2,您必须这样编码:
//Set the https use TLSv1.2
private static Registry<ConnectionSocketFactory> getRegistry() throws KeyManagementException, NoSuchAlgorithmException {
SSLContext sslContext = SSLContexts.custom().build();
SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslContext,
new String[]{"TLSv1.2"}, null, SSLConnectionSocketFactory.getDefaultHostnameVerifier());
return RegistryBuilder.<ConnectionSocketFactory>create()
.register("http", PlainConnectionSocketFactory.getSocketFactory())
.register("https", sslConnectionSocketFactory)
.build();
}
public static void main(String... args) {
try {
//Set the https use TLSv1.2
PoolingHttpClientConnectionManager clientConnectionManager = new PoolingHttpClientConnectionManager(getRegistry());
clientConnectionManager.setMaxTotal(100);
clientConnectionManager.setDefaultMaxPerRoute(20);
HttpClient client = HttpClients.custom().setConnectionManager(clientConnectionManager).build();
//Then you can do : client.execute(HttpGet or HttpPost);
} catch (KeyManagementException | NoSuchAlgorithmException e) {
e.printStackTrace();
}
}
对于使用 TLSv1.2 的 HttpClient-4.1,代码将如下所示:
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
sslContext.init(null, null, new SecureRandom());
SSLSocketFactory sf = new SSLSocketFactory(sslContext);
Scheme httpsScheme = new Scheme("https", 443, sf);
SchemeRegistry schemeRegistry = new SchemeRegistry();
schemeRegistry.register(httpsScheme);
ClientConnectionManager cm = new SingleClientConnManager(schemeRegistry);
HttpClient client = new DefaultHttpClient(cm);
// Use client to make the connection and get the results.
您只需在服务器上指定以下 属性 -Dhttps.protocols=TLSv1.1,TLSv1.2 即可配置 JVM 以指定在所有 https 连接期间应使用哪个 TLS 协议版本来自客户
在 HttpClient 4.5.x 中使用 HttpClientBuilder 和自定义 HttpClientConnectionManager,默认值为 HttpClientBuilder:
SSLConnectionSocketFactory sslConnectionSocketFactory =
new SSLConnectionSocketFactory(SSLContexts.createDefault(),
new String[] { "TLSv1.2" },
null,
SSLConnectionSocketFactory.getDefaultHostnameVerifier());
PoolingHttpClientConnectionManager poolingHttpClientConnectionManager =
new PoolingHttpClientConnectionManager(
RegistryBuilder.<ConnectionSocketFactory> create()
.register("http",
PlainConnectionSocketFactory.getSocketFactory())
.register("https",
sslConnectionSocketFactory)
.build());
// Customize the connection pool
CloseableHttpClient httpClient = HttpClientBuilder.create()
.setConnectionManager(poolingHttpClientConnectionManager)
.build()
没有自定义 HttpClientConnectionManager :
SSLConnectionSocketFactory sslConnectionSocketFactory =
new SSLConnectionSocketFactory(SSLContexts.createDefault(),
new String[] { "TLSv1.2" },
null,
SSLConnectionSocketFactory.getDefaultHostnameVerifier());
CloseableHttpClient httpClient = HttpClientBuilder.create()
.setSSLSocketFactory(sslConnectionSocketFactory)
.build()
使用 -Dhttps.protocols=TLSv1.2 JVM 参数对我不起作用。有效的是以下代码
RequestConfig.Builder requestBuilder = RequestConfig.custom();
//other configuration, for example
requestBuilder = requestBuilder.setConnectTimeout(1000);
SSLContext sslContext = SSLContextBuilder.create().useProtocol("TLSv1.2").build();
HttpClientBuilder builder = HttpClientBuilder.create();
builder.setDefaultRequestConfig(requestBuilder.build());
builder.setProxy(new HttpHost("your.proxy.com", 3333)); //if you have proxy
builder.setSSLContext(sslContext);
HttpClient client = builder.build();
使用以下 JVM 参数进行验证
-Djavax.net.debug=all
由于这只隐藏在评论中,很难找到解决方案:
您可以使用java -Dhttps.protocols=TLSv1,TLSv1.1,但您还需要使用useSystemProperties()
client = HttpClientBuilder.create().useSystemProperties();
我们现在在我们的系统中使用这个设置,因为这使我们能够仅为代码的某些使用设置它。
在我们的例子中,我们仍然有一些 Java 7 运行 和一个 API 端点不允许 TLSv1,
所以我们使用 java -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 来启用当前的 TLS 版本。
感谢@jebeaudet 指出这个方向。