search

swagger-api / swagger-codegen-generators

Apache License 2.0
284 stars 424 forks source link

[Java/okhttp] Java OkHTTP 2.x client does not support modern TLS cipher suites #716

Open rvesse opened 4 years ago

rvesse commented 4 years ago

Our systems recently upgraded to require TLS v1.2 and as a result some of our Swagger generated clients have stopped working because the version of OkHTTP used (2.7.5) was released in Feb 2016 and does not have support for more modern TLS cipher suites.

Example error message:

invoker.ApiException: java.net.UnknownServiceException: Unable to find acceptable protocols. isFallback=false, modes=[ConnectionSpec(cipherSuites=[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA], tlsVersions=[TLS_1_2, TLS_1_1, TLS_1_0], supportsTlsExtensions=true), ConnectionSpec(cipherSuites=[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA], tlsVersions=[TLS_1_0], supportsTlsExtensions=true), ConnectionSpec()], supported protocols=[TLSv1]

An equivalent curl -vvv command shows the following:

* Connected to api-gw-service-nmn.local (10.92.100.71) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=XX; ST=XX; O=XX; OU=XX; CN=sms
*  start date: Jun 15 22:11:56 2020 GMT
*  expire date: Jun 13 22:11:56 2030 GMT
*  subjectAltName: host "api-gw-service-nmn.local" matched cert's "api-gw-service-nmn.local"
*  issuer: C=XX; ST=XX; L=XX; O=XX; OU=XX; CN=d4827b0d-b2ea-42cf-8e7b-5919b5b3b62b
*  SSL certificate verify ok.

Our systems are using the ECDHE-RSA-CHACHA20-POLY1305 cipher suite which doesn't appear in the supported cipher suites shown by the OkHttp error messaging.

Since OkHttp 2.x is now decidedly ancient I would suggest investigating a move to OkHttp 4.x as a potential resolution to this

rvesse commented 4 years ago

For reference here's the default setup for OkHttp 4 - https://github.com/square/okhttp/blob/master/okhttp/src/main/kotlin/okhttp3/ConnectionSpec.kt#L290-L312

Which does appear to include the relevant cipher suite