fix(http): enable TLSv1.3; disable TLSv1.0 TLSv1.1#123
Conversation
|
|
ricellis
force-pushed
the
2656-enable-tlsv1.3
branch
from
990817a to
fb510e6
Compare
I marked it as |
agreed I've tested this version of the java core with the platform-services java sdk (ran integration tests for several of the services) and all seems to be working well. @ricellis Thank you for contributing this change! |
## [9.10.1](9.10.0...9.10.1) (2021-05-19) ### Bug Fixes * **http:** enable TLSv1.3; disable TLSv1.0 TLSv1.1 ([#123](#123)) ([3b05fd5](3b05fd5))
|
🎉 This PR is included in version 9.10.1 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
4 participants
The
setupTLSProtocolfunction inHttpClientSingletonwas hard-coded toTLS_1_0TLS_1_1TLS_1_2thus preventing negotiation to TLSv1.3 even if it was available in the supported protocols for the socket and on the server.Since
configureHttpClientis using theMODERN_TLSconnection spec anyway this change determines the set of protocols to enable from the union of the protocols listed inMODERN_TLSand the protocols supported by the socket.It should be noted that:
MODERN_TLSgets updated withOkHttpupdates (as such updating in future may disable additional protocols or enable new ones if they are also supported by the runtime environment).MODERN_TLScurrently allows only TLSv1.2 and TLSv1.3.So this change will also disable TLSv1.0 and TLSv1.1 connections, but that should not pose a problem as we should be using TLSv1.2 minimum since 1.0 and 1.1 have known insecurities and are considered deprecated.
I added a test to validate that each enabled protocol on a socket created from the configured client was valid against both the
MODERN_TLSlist and the supported protocols list from the socket.I also noticed that when using
disableSslVerificationthe [existing] protocol filtering was not applied. I did not see a reason that the same protocol set should not be used even if the certificates and hostnames were going to be universally trusted. I've made that change and added a test for it in a separate commit so if others disagree it can be easily removed.