HockeyGoonNorm Valued Contributor.
Valued Contributor.
801 views

TLS 1.2 support for HTTP Operations

Anyone using OO HTTP operations against endpoints that only allow TLS 1.2 protocol? 

To satisfy federal security requirements all our company's endpoints are being locked down to only allow TLS1.2. While HPE fully supports the ability to lock down the Central UI, its HTTP client operations do not have the ability to talk to endpoints that have been locked down. We've had to file several exceptions with auditors to keep some endpoints from being locked down but that's only buying us a few months of time. 

According to the HTTP client documentation, OO uses Apache HttpClient 4.3 libraries.  "To acomplish this it uses the third parties from Apache: HttpClient 4.3, HttpCore 4.3" As far as I can tell, these versions do not support any TLS protocols beyond 1.0. Furthermore, support for TLS1.2 is has just recently been added to an ALPHA version of HttpCore 5.0. https://archive.apache.org/dist/httpcomponents/httpcore/RELEASE_NOTES-5.0.x.txt

I have submitted an enhancement request to HPE for TLS1.2 support in HTTP operatons but I suspect they won't be able to accomodate the requst until the underlying Apache libs have been updated.  https://softwaresupport.hpe.com/group/softwaresupport/search-result/-/facetsearch/document/LID/QCCR8C32799

So, in the mean time, I'm considering building a flow that uses curl for HTTP communications. My biggest concern with this approach is error handling. We built a good amount of error handling around the HTTP client operations. Adding curl into the mix introcudes another level of potential errors.

Is anyone using curl as a replacement for OO's HTTP client operations?  

thanks.

 

 

Labels (2)
0 Likes
1 Reply
Super Contributor.. Brett Simpson_1 Super Contributor..
Super Contributor..

Re: TLS 1.2 support for HTTP Operations

Unfortunately i can't help you with your Curl query... i would like ot voice my support of your request. My organisation uses several HPE tools, and all of them are lacking in terms of supporting CURRENT versions of software they should integrate with, and most importantly CURRENT security requirements.

 

It would be nice if HPE could dedicate a single software security team to control / review / mandate ALL HPE software security related functionality.. unfortunately its left to each software streams coders to manage all these security and compatibility issues, and given the split, reduction in profits, moving coders between india, middle east and eastern europe.. consistency and quality has reduced. (this is based on my over 10 years using HP/HPE software)

 

cheers

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.