Force TLSv1.1 or greater when supported #548
Conversation
The Box API will be deprecating TLSv1.0 support in the future, but Java 7 environments use that protocol by default. The SDK needs to force TLSv1.1 or greater to maintain compatibility with the Box API. This should work in all supported Java versions (7+).
|
Verified that @mattwiller has signed the CLA. Thanks for the pull request! |
| // Setup the SSL context manually to force newer TLS version on legacy Java environments | ||
| // This is necessary because Java 7 uses TLSv1.0 by default, but the Box API will need | ||
| // to deprecate this protocol in the future. To prevent clients from breaking, we must | ||
| // ensure that they are using TLSv1.1 or greater! |
There was a problem hiding this comment.
What's the plan for people who haven't upgraded to the latest Java SDK version? They would still have TLSv1.0
There was a problem hiding this comment.
They must either update their Java version (to 1.8+) or their Java SDK version (to whatever release this lands in or greater).
| if (connection instanceof HttpsURLConnection) { | ||
| HttpsURLConnection httpsConnection = (HttpsURLConnection) connection; | ||
|
|
||
| if (this.sslContext != null) { |
There was a problem hiding this comment.
Don't we have to do anything if it's null?
There was a problem hiding this comment.
I'm not really sure what to do. For the time being we can allow it since TLSv1.0 is still available, but in the future requests will just fail. Do you have any suggestion?
| LOGGER.warning("Unable to set up SSL context for HTTPS! This may result in the inability " | ||
| + " to connect to the Box API."); | ||
| } | ||
| if (sc == null || sc.getProtocol().equals("TLSv1")) { |
There was a problem hiding this comment.
There's a sc == null check above which means two warnings will be posted
There was a problem hiding this comment.
Good catch! I'll dedupe these.
The Box API will be deprecating TLSv1.0 support in the future, but
Java 7 environments use that protocol by default. The SDK needs
to force TLSv1.1 or greater to maintain compatibility with the Box
API. This should work in all supported Java versions (7+).