-
Notifications
You must be signed in to change notification settings - Fork 186
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Force TLSv1.1 or greater when supported #548
Conversation
The Box API will be deprecating TLSv1.0 support in the future, but Java 7 environments use that protocol by default. The SDK needs to force TLSv1.1 or greater to maintain compatibility with the Box API. This should work in all supported Java versions (7+).
Verified that @mattwiller has signed the CLA. Thanks for the pull request! |
// Setup the SSL context manually to force newer TLS version on legacy Java environments | ||
// This is necessary because Java 7 uses TLSv1.0 by default, but the Box API will need | ||
// to deprecate this protocol in the future. To prevent clients from breaking, we must | ||
// ensure that they are using TLSv1.1 or greater! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What's the plan for people who haven't upgraded to the latest Java SDK version? They would still have TLSv1.0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They must either update their Java version (to 1.8+) or their Java SDK version (to whatever release this lands in or greater).
if (connection instanceof HttpsURLConnection) { | ||
HttpsURLConnection httpsConnection = (HttpsURLConnection) connection; | ||
|
||
if (this.sslContext != null) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't we have to do anything if it's null?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not really sure what to do. For the time being we can allow it since TLSv1.0 is still available, but in the future requests will just fail. Do you have any suggestion?
LOGGER.warning("Unable to set up SSL context for HTTPS! This may result in the inability " | ||
+ " to connect to the Box API."); | ||
} | ||
if (sc == null || sc.getProtocol().equals("TLSv1")) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's a sc == null
check above which means two warnings will be posted
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch! I'll dedupe these.
The Box API will be deprecating TLSv1.0 support in the future, but
Java 7 environments use that protocol by default. The SDK needs
to force TLSv1.1 or greater to maintain compatibility with the Box
API. This should work in all supported Java versions (7+).