TLS 1.2 support for HTTP Operations
Anyone using OO HTTP operations against endpoints that only allow TLS 1.2 protocol?
To satisfy federal security requirements all our company's endpoints are being locked down to only allow TLS1.2. While HPE fully supports the ability to lock down the Central UI, its HTTP client operations do not have the ability to talk to endpoints that have been locked down. We've had to file several exceptions with auditors to keep some endpoints from being locked down but that's only buying us a few months of time.
According to the HTTP client documentation, OO uses Apache HttpClient 4.3 libraries. "To acomplish this it uses the third parties from Apache: HttpClient 4.3, HttpCore 4.3" As far as I can tell, these versions do not support any TLS protocols beyond 1.0. Furthermore, support for TLS1.2 is has just recently been added to an ALPHA version of HttpCore 5.0. https://archive.apache.org/dist/httpcomponents/httpcore/RELEASE_NOTES-5.0.x.txt
I have submitted an enhancement request to HPE for TLS1.2 support in HTTP operatons but I suspect they won't be able to accomodate the requst until the underlying Apache libs have been updated. https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facetsearch/document/LID/QCCR8C32799
So, in the mean time, I'm considering building a flow that uses curl for HTTP communications. My biggest concern with this approach is error handling. We built a good amount of error handling around the HTTP client operations. Adding curl into the mix introcudes another level of potential errors.
Is anyone using curl as a replacement for OO's HTTP client operations?
Unfortunately i can't help you with your Curl query... i would like ot voice my support of your request. My organisation uses several HPE tools, and all of them are lacking in terms of supporting CURRENT versions of software they should integrate with, and most importantly CURRENT security requirements.
It would be nice if HPE could dedicate a single software security team to control / review / mandate ALL HPE software security related functionality.. unfortunately its left to each software streams coders to manage all these security and compatibility issues, and given the split, reduction in profits, moving coders between india, middle east and eastern europe.. consistency and quality has reduced. (this is based on my over 10 years using HP/HPE software)