如何强制Apache的CloseableHttpClient使用TLSv1.2？

Question

在Java中，我需要让使用TLSv1.2。目前，它似乎使用了HTTP/1.1。如何在下面的代码中指定协议版本？

 public static void main(String [] args){
                                try {
                      SSLContext sslContext = SSLContext.getInstance("TLS");
                                  @SuppressWarnings("static-access")
                                  CloseableHttpClient httpclient = HttpClientBuilder.create()
                                    .setSSLSocketFactory(new SSLConnectionSocketFactory(sslContext.getDefault(), new String[] { "TLSv1.2" }, null, SSLConnectionSocketFactory.getDefaultHostnameVerifier()))
                                    .build();
                      HttpHost target = new HttpHost("https://www.sometest.com", 443, "https");
                      String call = "/vivisimo/cgi-bin/velocity";
                      HttpGet getRequest = new HttpGet(call);
                      System.out.println("Protocol Version:" + getRequest.getProtocolVersion());
                     } catch (Exception e) {
                      e.printStackTrace();
                                  }
}

Answer 1

在创建SSLContext时，请指定它必须使用TLS而不是获取默认的TLS：

SSLContext sslContext = SSLContextBuilder.create().build();

或者：

SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(....);

或者简单地使用：

SSLContext sslContext = SSLContexts.custom().build()

基于您的代码，这里是正在运行的示例(它建立到google.com的连接)。我已经启用了调试日志。在日志中查找negotiated protocol: TLSv1.2。现在，将TLS版本更改为1.1，同时创建http客户端(new String[] { "TLSv1.1" })，运行程序并观察字符串“协商协议.”改为TLSv1.1。您之前打印的是HTTP协议版本。

import org.apache.http.HttpHost;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.ssl.SSLContextBuilder;
import org.apache.http.ssl.SSLContexts;

import javax.net.ssl.SSLContext;
import java.io.OutputStreamWriter;
import java.io.PrintStream;
import java.io.StringWriter;

public class ForceTLS12 {
    public static void main(String[] args) {
        try {
            System.setProperty("org.apache.commons.logging.Log", "org.apache.commons.logging.impl.SimpleLog");
            System.setProperty("org.apache.commons.logging.simplelog.showdatetime","true");
            System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.http","DEBUG");
            System.setProperty("org.apache.commons.logging.simplelog.log.org.apache.http.wire","DEBUG");
            //SSLContext sslContext = SSLContext.getInstance("TLS");
            @SuppressWarnings("static-access")
            CloseableHttpClient httpclient = HttpClientBuilder.create()
                    .setSSLSocketFactory(new SSLConnectionSocketFactory(SSLContexts.custom().build(), new String[] { "TLSv1.2" }, null, SSLConnectionSocketFactory.getDefaultHostnameVerifier()))
                    .build();
            HttpHost target = new HttpHost("www.google.com", 443, "https");
            //String call = "/vivisimo/cgi-bin/velocity";
            HttpGet getRequest = new HttpGet(target.toURI());
            CloseableHttpResponse resposne = httpclient.execute(getRequest);

            System.out.println(resposne.getEntity().getContentType());
            System.out.println("Protocol Version:" + getRequest.getProtocolVersion());
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

此可执行代码示例也可在github上使用。