Is there a way to set what ciphers (and protocols) a HttpsURLConnection should use?
We have some very old client code that uses the a custom socket class to communicate (via HTTP) to a server, we were looking at scraping this old code in lieu of the URLConnection class in Java, however; the user can set the SSL/TLS ciphers (and protocols) that can be used connect to the server, we basically use the SSLSocket.setEnabledCipherSuite(...) to do this. Looking at the HttpsURLConnection class there doesn't appear to be such a method and I do not see a readily available mechanism to do this.
Thanks in advance
Thanks for replying. To answer your question, our customers want to be able to specify specific ciphers (or protocols - e.g. TLSv1.2) so that their client will not connect to servers which utilize "unsecure" (in customers opinion) ciphers. Our server program is not a HTTP server per-say, it uses HTTP to communicate tho.
As for the page you linked to, I maybe missing it but I do not see anything there that indicates you can specify a cipher.
I was exploring creating a socket factory but it just seemed a bit of overkill in order to set the cipher or protocol, but that sounds like the best way to go. It's unfortunate that there is no mechanism in the class to set this as there is in the SSLSocket class.
Update - Creating my own Socket Factory and setting that into the URLConnection object was the solution
Edited by: JimM on May 21, 2012 11:40 AM
Creating SSLSocketFactories and assigning to HttpsURLConnection isn't very difficult, you just need to make sure you override all of the methods properly. I suggest using NetBeans or something similar.
While custom SSLSocketFactories can create preconfigured SSLSockets, unfortunately, the HttpsURLConnection/HttpURLConnection class doesn't give you direct access to the actual underlying Socket used for the connection. The network team has enforced that architecture/limitation.
It will be interesting to see what happens with the Http Client work being done for JDK 8.