0

We wanted to enable the TLSv1.2 protocol with version of Java 7, while also ensuring support for the lower versions.

I am aware that we can utilize SSLContext.getInstance("TLSv1.2") to activate TLSv1.2. However, our scenario involves the utilization of an Axis repository, specifically the org.apache.commons.httpclient.* packages, for conducting SOAP calls.

We've implemented the usage of ProtocolSocketFactory to register the protocol, and in this context, we've designed a custom protocol factory class that extends HttpSecureProtocol.

Now using this existing code how can I achieve this.

**Initialization class:

PropertiesLoader props = PropertiesLoader.getInstance();
        // Mask the system variable. Causes problems, as not-commons-ssl expects the private key to be there
        Properties sysProps = System.getProperties();
        String sysKeystore = (String) sysProps.remove("javax.net.ssl.keyStore");
        // use client keystore for connection factory
        ProtocolSocketFactory factory = new FixedProtocolSocketFactory(KEYSTORE, KEYSTORE_PASS);
        Protocol.unregisterProtocol("https");
        Protocol.registerProtocol("https", new Protocol("https", factory , HttpsURL.DEFAULT_PORT));
        Protocol.registerProtocol("https", new Protocol("https", factory , 8443));
        if (sysKeystore != null) {
            sysProps.setProperty("javax.net.ssl.keyStore", sysKeystore);
        }

**Custom class: **

public class FixedProtocolSocketFactory extends HttpSecureProtocol {
    
    public FixedProtocolSocketFactory(final String keystore,
            final String keystorePassword) throws GeneralSecurityException, IOException {

        super();
        TrustChain trustChain = TrustMaterial.CACERTS;
        super.setTrustMaterial(trustChain);
        File keystoreFile = new File(keystore);

        // prepare key material
        if (keystoreFile != null && keystoreFile.exists()) {
            char[] ksPass = null;
            if (keystorePassword != null) {
                ksPass = keystorePassword.toCharArray();
            }
            KeyMaterial km = new KeyMaterial(keystoreFile, ksPass.clone());
            super.setKeyMaterial(km);


        }

    }

**NOTE **: Can't upgrade to an higher versions of java

**What has been tried? **

  1. We have defined the protocols in the custom class .
  2. Implemented the socket class in the Initialization class.

**What I am expecting? **Need to do the handshake with TLSv1.2 in a SOAP call.

Improve this question
3
  • 2
    If you care about security, then you need to ensure that you don't support the lower versions. Commented Aug 27, 2023 at 19:31
  • @JosephSible-ReinstateMonica Thanks for the advice. We are migrating the things it will take some time. But for now we are in a position where we need to enable this protocol ASAP. Commented Aug 27, 2023 at 19:41
  • 3
    You are probably aware but just for the record Java 7 has been EOL since 2015 and it is a security nightmare. Anyone using it should be migrating urgently to a recent release. Commented Aug 27, 2023 at 20:11

1 Answer 1

Reset to default
2

While I strongly question using an unsupported Java version and using anything less than TLS 1.2, it's pretty straight forward:

 SSLContext sslContext = SSLContexts.custom()
     .build()

SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(
     sslContext,
     new String[]{ "TLSv1.0", "TLSv1.1", "TLSv1.2" },
     null,
     SSLConnectionSocketFactory.getDefaultHostnameVerifier())

Your HttpClient calls will now accept TLS 1.2 and below.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.