Totally insecure SSL defaults about reboot HOT 7 CLOSED

It seems this default behavior comes from AsyncHttpClient's Netty provider

It may be beneficial for you others to re-post this issue in that library's issue tracker. Here's the repo. The benefit of doing so is that dispatch and all other libraries built on top of async http client can pick up the upstream fix.

related

• https://groups.google.com/forum/#!topic/asynchttpclient/wgaAs3lszbI
• http://sonatype.github.io/async-http-client/ssl.html
• http://kevinlocke.name/bits/2012/10/03/ssl-certificate-verification-in-dispatch-and-asynchttpclient/

from reboot.

But feel free to send pull requests here as well.

from reboot.

As of 0.11.3, this seems to be fixed (due to a Netty provider change?).

from reboot.

Ran into this: AsyncHttpClient/async-http-client#991

Dispatch still uses SSLv2 and SSLv3 so this issue is definitely not done. If you guys upgrade to AsyncHttpClient 1.9.31 instead, this will fix the issue, as AHC will provide sane enabledProtocol defaults.

from reboot.

Alternative workaround is to manually bump your AHC version to 1.9.31 in sbt/gradle/maven/etc:

Or put this:

    val config = new AsyncHttpClientConfig.Builder()
      .setUserAgent("Dispatch/%s" format BuildInfo.version)
      .setEnabledProtocols(Array[String]("TLSv1.2", "TLSv1.1", "TLSv1"))
      .build

    val client = new AsyncHttpClient(config)
    Http(client)

from reboot.

Dispatch >= 0.12.x is using a version of AHC that should have this bug fixed.

Given the nature of this bug I'm going to classify this as a critical security issue and issue a build named 0.11.4 that upgrades the AHC client for that version to 1.9.40.

from reboot.

Dispatch v0.11.4 has been released and should be on Maven Central shortly. AHC has been bumped to verison 1.19.40 in that release, which should resolve this issue.

from reboot.