Set TLSv2 in WS.client on Play 2.2.0

Nathan Murthy

unread,

Oct 25, 2013, 4:23:14 PM10/25/13

to play-fr...@googlegroups.com

Hi folks,

I need to implement a WS.client that issues requests over a secure TLSv2 connection. I am able to set my keystore, truststore, and their respective passwords using props.setProperty() in Global.scala. Doing this, I can successfully initiate TLSv1 handshakes. The com.ning.http.client.AsyncHttpClient will initiate SSLv3 and TLSv1 handshakes by default:

WS.client.getConfig.getSSLContext.getDefaultSSLParameters.getProtocols.foreach(println(_))

SSLv3
TLSv1

but there is no straightforward way in the documentation I've searched to add "TLSv2" to the Array[String] of SSL protocols. Any one have working solutions to this problem? Is there a way to globally add "TLSv2" so that I only have to set this parameter once for all and any of my WS.url("url.com").<verb>(content) HTTP requests?

Sincere regards,
Nathan

Will Sargent

unread,

Oct 28, 2013, 6:04:11 PM10/28/13

to play-fr...@googlegroups.com

You can't do it currently. You need to call

asyncHttpConfig.setSSLContext()

before the client is instantiated, and that's private to WS.newClient().

https://github.com/playframework/playframework/blob/master/framework/src/play/src/main/scala/play/api/libs/ws/WS.scala

Will Sargent

Consultant, Professional Services

Typesafe, the company behind Play Framework, Akka and Scala

--
You received this message because you are subscribed to the Google Groups "play-framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to play-framewor...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Nathan Murthy

unread,

Oct 29, 2013, 1:10:04 AM10/29/13

to play-fr...@googlegroups.com

Yeah, I figured. I ended up writing a kludgy newClient() in WS.scala to get what we needed:

  private[play] def newClient(): AsyncHttpClient = {
    /*
    Load keystore
     */
    var ksis: FileInputStream = null
    val ks = KeyStore.getInstance("JKS")
    val kmf = KeyManagerFactory.getInstance("SunX509")
    val keystorePath = System.getProperty("javax.net.ssl.keyStore")
    val keystorePassword = System.getProperty("javax.net.ssl.keyStorePassword")
    if (keystorePath != null && !"NONE".equals(keystorePath)) {
      ksis = new FileInputStream(keystorePath)
    }
    try {
      ks.load(ksis, keystorePassword.toCharArray)
    } finally {
      if (ksis != null) { ksis.close(); }
    }
    kmf.init(ks, keystorePassword.toCharArray)
    
    /*
    Load truststore
    */
    var tsis: FileInputStream = null
    val ts = KeyStore.getInstance("JKS")
    val tmf = TrustManagerFactory.getInstance("SunX509")
    val truststorePath = System.getProperty("javax.net.ssl.trustStore")
    val truststorePassword = System.getProperty("javax.net.ssl.trustStorePassword")
    if (truststorePath != null && !"NONE".equals(truststorePath)) {
      tsis = new FileInputStream(truststorePath)
    }
    try {
      ts.load(tsis, truststorePassword.toCharArray)
    } finally {
      if (tsis != null) { tsis.close(); }
    }
    tmf.init(ts)
 
    /*
    Create SSLContext
    */
    val ctx = SSLContext.getInstance("TLSv1.2")
    ctx.init(kmf.getKeyManagers,tmf.getTrustManagers,null)
    val asyncHttpConfig = new AsyncHttpClientConfig.Builder().setSSLContext(ctx)
    new AsyncHttpClient(asyncHttpConfig.build())
  }

But this isn't a sustainable approach for us as the framework evolves (for obvious reasons). Any chances we'll see support for SSL-configurable HTTP clients in near-future releases of Play or when you guys switch to Spray.io? I was thinking of making a pull request, wanted to hear your thoughts first.

-Nathan

Will Sargent

unread,

Oct 29, 2013, 11:31:17 AM10/29/13

to play-fr...@googlegroups.com

There's lots of changes to WS coming down the pike -- making this easier is one of the goals.

Will.

--

You received this message because you are subscribed to the Google Groups "play-framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to play-framewor...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

--

Message has been deleted

Nathan Murthy

unread,

Oct 29, 2013, 3:16:02 PM10/29/13

to play-fr...@googlegroups.com

Ok, well just a heads up SSLv3 (RFC 6101 - historical), TLSv1.0 (RFC 2246) and TLSv1.1 (RFC 4346) are considered obsolete by IETF. Right now TLSv1.2 is the only approved standard. Also NIST SP 800-131A disallows SHA1 (signing hash for TLSv1.0 and v1.1) after Dec 31, 2013.

I can understand continuing support for SSLv3 and TLSv1 for backwards compatibility, but Play should at some point support TLSv1.2 as well very soon. About 2/3rds of the internet is insecure because other web programmers are still using obsolete security standards.

Will Sargent

unread,

Oct 29, 2013, 3:25:09 PM10/29/13

to play-fr...@googlegroups.com

Here's my SSL working set right now:

https://www.ssllabs.com/projects/best-practices/
https://www.imperialviolet.org/2013/01/13/rwc03.html
https://wiki.mozilla.org/Security/Server_Side_TLS

Will Sargent

Consultant, Professional Services

Typesafe, the company behind Play Framework, Akka and Scala

On Tue, Oct 29, 2013 at 12:14 PM, Nathan Murthy <nmu...@wirelessglue.com> wrote:

Ok, well just a heads up SSLv3 (RFC 6101 - historical), TLSv1.0 (RFC 2246) and TLSv1.1 (RFC 4346) are considered obsolete by IETF. Right now TLSv1.2 is the only approved standard. Also NIST SP 800-131A disallows SHA1 (signing hash for TLSv1.0 and v1.1) after Dec 31, 2013.

I can understand continuing support for SSLv3 and TLSv1 for backwards compatibility, but Play should at some point support TLSv1.2 as well very soon. About 2/3rds of the internet is insecure because other web programmers are still using obsolete security standards.