Force Datasync to use TLS 1.1/1.2 when talking to DI2

socrata · Dec 9, 2016 · 17be3fd · 17be3fd
1 parent 5013159
commit 17be3fd
Showing 1 changed file with 29 additions and 4 deletions.
diff --git a/src/main/java/com/socrata/datasync/HttpUtility.java b/src/main/java/com/socrata/datasync/HttpUtility.java
@@ -19,15 +19,22 @@
 import org.apache.http.client.methods.HttpPost;
 import org.apache.http.client.protocol.HttpClientContext;
 import org.apache.http.conn.ConnectionKeepAliveStrategy;
+import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
+import org.apache.http.conn.ssl.SSLContexts;
 import org.apache.http.impl.client.BasicCredentialsProvider;
 import org.apache.http.impl.client.CloseableHttpClient;
 import org.apache.http.impl.client.HttpClientBuilder;
 import org.apache.http.impl.client.HttpClients;
 import org.apache.http.protocol.HttpContext;
 
+import javax.net.ssl.SSLContext;
 import java.io.IOException;
 import java.net.URI;
 import java.nio.charset.Charset;
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
+
+import static org.apache.http.conn.ssl.SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER;
 
 public class HttpUtility {
 
@@ -87,10 +94,28 @@ public HttpUtility(UserPreferences userPrefs, boolean useAuth, int maxRetries, d
             setSocketTimeout(60000). // 1m
             build();
 
-        clientBuilder.setRetryHandler(datasyncDefaultHandler);
-        clientBuilder.setKeepAliveStrategy(datasyncDefaultKeepAliveStrategy);
-        clientBuilder.setDefaultRequestConfig(requestConfig);
-        httpClient = clientBuilder.build();
+        SSLContext sslContext;
+        try {
+            sslContext = SSLContexts.custom().useTLS().build();
+        } catch (NoSuchAlgorithmException|KeyManagementException e) {
+            // there’s no way for the client to recover,
+            // so a checked exception is not necessary
+            throw new RuntimeException(e);
+        }
+
+        SSLConnectionSocketFactory factory = new SSLConnectionSocketFactory(
+            sslContext,
+            new String[] { "TLSv1.1", "TLSv1.2" },
+            null,
+            BROWSER_COMPATIBLE_HOSTNAME_VERIFIER
+        );
+
+        httpClient = HttpClients.custom().
+            setSSLSocketFactory(factory).
+            setRetryHandler(datasyncDefaultHandler).
+            setKeepAliveStrategy(datasyncDefaultKeepAliveStrategy).
+            setDefaultRequestConfig(requestConfig).
+            build();
     }
 
     /**