Hakky54 edited a comment on issue #194: Switched to TLSv1.2 as default protocol if none provided URL: https://github.com/apache/httpcomponents-core/pull/194#issuecomment-602185960 Hi @michael-o Well let me try to give more context to the pull request by explaining what the behaviour was before the code change. Apache SSLContextBuilder was using by TLS when the user didn't specify a specific protocol. So basically it was using TLSv1.0, a protocol from the year 1999, which currently is deprecated. See below fo the list of encryption protocols: <img width="436" alt="Screenshot 2020-03-22 at 12 11 55" src="https://user-images.githubusercontent.com/16032204/77248002-72e70d00-6c36-11ea-98fa-29ef302a4619.png";> https://en.wikipedia.org/wiki/Transport_Layer_Security We need to provide a better protocol as a default to prevent that users of the SSLContextBuilder accidentally get the deprecated protocol by forgetting to specify that they want to use TLSv1.3 or TLSv1.2. So the existing code for these methods/code will return the old protocol of 1999: [SSLContexts#createDefault()](https://hc.apache.org/httpcomponents-core-ga/httpcore/apidocs/org/apache/http/ssl/SSLContexts.html#createDefault()) [SSLContextBuilder](https://hc.apache.org/httpcomponents-core-ga/httpcore/apidocs/org/apache/http/ssl/SSLContextBuilder.html) ``` public static void main(String[] args) throws NoSuchAlgorithmException, KeyManagementException { SSLContext defaultSSLContext = SSLContexts.createDefault(); System.out.println(defaultSSLContext.getProtocol()); SSLContext customSSLContext = SSLContextBuilder.create() .build(); System.out.println(customSSLContext.getProtocol()); } ``` So with the code change within this pull request the user of these classes will be getting TLSv1.2 by default for the above code snippet if they **don't specify** a protocol at all. But if they specify it, like the code below they will even get TLSv1.3 ``` public static void main(String[] args) throws NoSuchAlgorithmException, KeyManagementException { SSLContext customSSLContext = SSLContextBuilder.create() .setProtocol("TLSv1.3") .build(); System.out.println(customSSLContext.getProtocol()); } ``` I hope this makes it a bit more clear. So back to your question. The default protocol now will be TLSv1.2 instead of TLSv1.0. In my opinion I wouldn't like to provide TLSv1.3 by default if the user didn't specified it, because the protocol is still new and not fully adopter by most of the servers. Most likely the most users will get a runtime exception during the handshake proces because the server is still using TLSv1.2 and are not compatible with TLSv1.3.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
![https://user-images.githubusercontent.com/16032204/77248002-72e70d00-6c36-11ea-98fa-29ef302a4619.png"](https://user-images.githubusercontent.com/16032204/77248002-72e70d00-6c36-11ea-98fa-29ef302a4619.png"){kind=link}