okhttp: OkHttp fails to set TLS v1.1 and v1.2 on JDK 7
DESCRIPTION:
OkHttp creates a SslSocketFactory using SSLContext.getInstance("TLS") to retrieve default TLS implementation from JDK.
The last public version of JDK 7 (update 80) uses TLS v1 as default.
This behavior has changed in new commercial versions by Oracle JDK 7 update 131 to use TLS v1.2 as default (the same behavior of JDK 8).
PROBLEM:
When running my code on last JDK 7 public version (update 80), I’m not able to connect to servers that uses TLS v1.1 or TLS v1.2.
The connectionsSpecs.tlsVersions feature does nothing because SSLContext.getInstance("TLS") retrieves v1 implementation.
SOLUTION:
Change SSLContext.getInstance("TLS") to SSLContext.getInstance("TLSv1.2") so the JDK 7 will also retrieve TLS v1.2 by default and connectionsSpecs.tlsVersions feature will work as expected as TLS v1.2 can downgrade gracefully to previous versions.
Line to change: https://github.com/square/okhttp/blob/c3d6607a14f66eae3dedc927a3eff642d1493caa/okhttp/src/main/java/okhttp3/internal/platform/Platform.java#L269
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Reactions: 1
- Comments: 19
@yschimke Tests are green now!
You should submit a PR next time, this felt a bit like
@yschimke they can’t.
7u80 is the last public version available. http://www.oracle.com/technetwork/java/javase/downloads/java-archive-downloads-javase7-521261.html
7u131 is an Oracle paid version!
@yschimke Yes, I’m sure this protocol version is implemented on JDK supported platforms and Android as well.
Most importantly is that this will become web default as the PCI compliance is dropping SSL/TLSv1 on end of month.
That’s not a problem for JDK 8+ users, but we still have many enterprise customers running JDK 7.
https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls