Tag Archives: TLS/SSL

How to use Apache HttpClient securely?

Every java developer in the world knows and uses Apache HttpClient Library. This is one of the library can be found in every enterprise application. However, we often miss the security implications of using any library. Every library comes with security feature but it is always developer responsibility to incorporate security in every HTTP API integration.

HttpClient provides full support for HTTP over Secure Sockets Layer (SSL) or IETF Transport Layer Security (TLS) protocols by leveraging the Java Secure Socket Extension (JSSE). JSSE has been integrated into the Java 2 platform as of version 1.4 and works with HttpClient out of the box. On older Java 2 versions JSSE needs to be manually installed and configured

Standard SSL in HttpClient

Basically, every JVM has trust-store and JSSE is already installed then you do not need to worry about passing custom certificate in HttpGet request. Java takes care of it. Take a look in below code.

HttpClient httpclient = new HttpClient();   
GetMethod httpget = new GetMethod("https://www.verisign.com/");    
try {      
httpclient.executeMethod(httpget);     System.out.println(httpget.getStatusLine());   
} 
finally {     httpget.releaseConnection();   }

So, in simple terms if you application triggers a Get request then first HTTPS handshake happens between client & server. Server passes the certificate and client validates in JVM trust code. If you like to understand in graphics you can watch below video.

How to use custom SSL certificates in HttpGet Request?

Read the full document to understand it. Click here

Example code copied from the document.

import java.io.File;
import javax.net.ssl.SSLContext;
import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.ssl.SSLContextBuilder;
import org.apache.http.ssl.SSLContexts;
import org.apache.http.util.EntityUtils;

public class ClientCustomSSL {
   
   public final static void main(String[] args) throws Exception {

      //Creating SSLContextBuilder object
      SSLContextBuilder SSLBuilder = SSLContexts.custom();
  
      //Loading the Keystore file
      File file = new File("mykeystore.jks");
      SSLBuilder = SSLBuilder.loadTrustMaterial(file,
         "changeit".toCharArray());

      //Building the SSLContext usiong the build() method
      SSLContext sslcontext = SSLBuilder.build();
 
      //Creating SSLConnectionSocketFactory object
      SSLConnectionSocketFactory sslConSocFactory = new SSLConnectionSocketFactory(sslcontext, new NoopHostnameVerifier());
 
      //Creating HttpClientBuilder
      HttpClientBuilder clientbuilder = HttpClients.custom();

      //Setting the SSLConnectionSocketFactory
      clientbuilder = clientbuilder.setSSLSocketFactory(sslConSocFactory);

      //Building the CloseableHttpClient
      CloseableHttpClient httpclient = clientbuilder.build();
      
      //Creating the HttpGet request
      HttpGet httpget = new HttpGet("https://example.com/");
 
      //Executing the request
      HttpResponse httpresponse = httpclient.execute(httpget);

      //printing the status line
      System.out.println(httpresponse.getStatusLine());

      //Retrieving the HttpEntity and displaying the no.of bytes read
      HttpEntity entity = httpresponse.getEntity();
      if (entity != null) {
         System.out.println(EntityUtils.toByteArray(entity).length);
      } 
   }
}

Daily Read: Learn to use security tools SSH, TLS/SSL and Digital Certificates securely.

Best Practices for Securing SSH: What Are Your SSH Security Risks?

SSH_Security_Risks-2.jpg

6 Scariest Ways Your Developers Can Use Digital Certificates

t’s hard to argue that that all web services and applications should not be secured using HTTPS. However, securely obtaining and deploying the certificates needed for securing web services is a challenge, especially for developers.
 

Simply put, there is no easy way for developers to request certificates that comply with corporate policy. First, they need to know where the internal CA is, then they must be granted access to it and possess the proper credential to authenticate.

TLS/SSL Preventing Downgrade Attacks

TLS (transport layer security), also known as SSL (secure socket layer), is the cryptographic protocol that enables billions of people across the world to use the internet by protecting their privacy and data security. It forms the very foundation of website security.
 

The strength of TLS protection lies in the encryption algorithms and security parameters that it works on. These algorithms and parameters differ from one SSL/TLS version to another. When a security element of a TLS version is found to be seriously vulnerable, that version of SSL/TLS is deprecated and is replaced by a newer version.