This discussion is archived
5 Replies Latest reply: May 30, 2012 6:26 PM by wetmore RSS

Set ciphers for HttpsURLConnection?

852668 Newbie
Currently Being Moderated
Is there a way to set what ciphers (and protocols) a HttpsURLConnection should use?

We have some very old client code that uses the a custom socket class to communicate (via HTTP) to a server, we were looking at scraping this old code in lieu of the URLConnection class in Java, however; the user can set the SSL/TLS ciphers (and protocols) that can be used connect to the server, we basically use the SSLSocket.setEnabledCipherSuite(...) to do this. Looking at the HttpsURLConnection class there doesn't appear to be such a method and I do not see a readily available mechanism to do this.

Thanks in advance
  • 1. Re: Set ciphers for HttpsURLConnection?
    EJP Guru
    Currently Being Moderated
    You can do that via system properties. See the Networking Properties page linked from the Guide to Features - Networking. You can also supply your own SSLSocketFactory which changes those parameters for sockets it creates: see the Javadoc for HttpsURLConnection.

    Why do you need to change the cipher suites?
  • 2. Re: Set ciphers for HttpsURLConnection?
    852668 Newbie
    Currently Being Moderated
    Hi EJP,
    Thanks for replying. To answer your question, our customers want to be able to specify specific ciphers (or protocols - e.g. TLSv1.2) so that their client will not connect to servers which utilize "unsecure" (in customers opinion) ciphers. Our server program is not a HTTP server per-say, it uses HTTP to communicate tho.

    As for the page you linked to, I maybe missing it but I do not see anything there that indicates you can specify a cipher.

    I was exploring creating a socket factory but it just seemed a bit of overkill in order to set the cipher or protocol, but that sounds like the best way to go. It's unfortunate that there is no mechanism in the class to set this as there is in the SSLSocket class.

    -----
    Update - Creating my own Socket Factory and setting that into the URLConnection object was the solution
    -----

    Edited by: JimM on May 21, 2012 11:40 AM
  • 3. Re: Set ciphers for HttpsURLConnection?
    EJP Guru
    Currently Being Moderated
    It's unfortunate that there is no mechanism in the class to set this as there is in the SSLSocket class.
    It's also untrue. See here. My bad.
  • 4. Re: Set ciphers for HttpsURLConnection?
    wetmore Newbie
    Currently Being Moderated
    Creating SSLSocketFactories and assigning to HttpsURLConnection isn't very difficult, you just need to make sure you override all of the methods properly. I suggest using NetBeans or something similar.

    While custom SSLSocketFactories can create preconfigured SSLSockets, unfortunately, the HttpsURLConnection/HttpURLConnection class doesn't give you direct access to the actual underlying Socket used for the connection. The network team has enforced that architecture/limitation.

    It will be interesting to see what happens with the Http Client work being done for JDK 8.

    [http://openjdk.java.net/jeps/110]
  • 5. Re: Set ciphers for HttpsURLConnection?
    EJP Guru
    Currently Being Moderated
    See here, as I said above, where it shows how to set the protocols and cipher suites for HttpsURLConnection via system properties, globally of course.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points