如何强制 Apache 的 CloseableHttpClient 使用 TLSv1.2？

Question

在 Java 中，我需要让 Apache CloseableHttpClient 使用 TLSv1.2。目前它看起来像使用 HTTP/1.1。如何在下面的代码中指定协议版本？

 public static void main(String [] args){
                                try {
                      SSLContext sslContext = SSLContext.getInstance("TLS");
                                  @SuppressWarnings("static-access")
                                  CloseableHttpClient httpclient = HttpClientBuilder.create()
                                    .setSSLSocketFactory(new SSLConnectionSocketFactory(sslContext.getDefault(), new String[] { "TLSv1.2" }, null, SSLConnectionSocketFactory.getDefaultHostnameVerifier()))
                                    .build();
                      HttpHost target = new HttpHost("https://www.sometest.com", 443, "https");
                      String call = "/vivisimo/cgi-bin/velocity";
                      HttpGet getRequest = new HttpGet(call);
                      System.out.println("Protocol Version:" + getRequest.getProtocolVersion());
                     } catch (Exception e) {
                      e.printStackTrace();
                                  }
}

Answer 1

在创建 SSLContext 时指定它必须使用 TLS 而不是获取默认的：

SSLContext sslContext = SSLContextBuilder.create().build();

或者：

SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(....);

或者干脆使用：

SSLContext sslContext = SSLContexts.custom().build()

根据您的代码，这里是运行示例（它连接到google.com）。我已启用调试日志。在日志中查找negotiated protocol: TLSv1.2。现在，在创建 http 客户端（new String[] { "TLSv1.1" }）时将TLS 版本更改为1.1，运行程序并观察字符串“协商协议..”更改为TLSv1.1。 您之前打印的是 HTTP 协议版本。

import org.apache.http.HttpHost;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.ssl.SSLContextBuilder;
import org.apache.http.ssl.SSLContexts;

import javax.net.ssl.SSLContext;
import java.io.OutputStreamWriter;
import java.io.PrintStream;
import java.io.StringWriter;

public class ForceTLS12 {
    public static void main(String[] args) {
        try {
            System.setProperty("org.apache.commons.logging.Log", "org.apache.commons.logging.impl.SimpleLog");
            System.setProperty("org.apache.commons.logging.simplelog.showdatetime","true");
            System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.http","DEBUG");
            System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.http.wire","DEBUG");
            //SSLContext sslContext = SSLContext.getInstance("TLS");
            @SuppressWarnings("static-access")
            CloseableHttpClient httpclient = HttpClientBuilder.create()
                    .setSSLSocketFactory(new SSLConnectionSocketFactory(SSLContexts.custom().build(), new String[] { "TLSv1.2" }, null, SSLConnectionSocketFactory.getDefaultHostnameVerifier()))
                    .build();
            HttpHost target = new HttpHost("www.google.com", 443, "https");
            //String call = "/vivisimo/cgi-bin/velocity";
            HttpGet getRequest = new HttpGet(target.toURI());
            CloseableHttpResponse resposne = httpclient.execute(getRequest);

            System.out.println(resposne.getEntity().getContentType());
            System.out.println("Protocol Version:" + getRequest.getProtocolVersion());
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

此可执行代码示例也可在 github 获得。