Deprecated DefaultHttpClient with Weak TLS Support

Medium Risk Network Security
javahttpclienttlsssldeprecatedapachemitm

What it is

Apache HttpClient's DefaultHttpClient is deprecated and lacks support for modern TLS protocols (TLS 1.2, 1.3). This client may negotiate weak TLS versions, use insecure cipher suites, or have inadequate hostname verification, making HTTPS connections vulnerable to man-in-the-middle attacks that can intercept or modify sensitive data in transit.

import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.HttpResponse;

// VULNERABLE: deprecated DefaultHttpClient lacks TLS 1.2 support
DefaultHttpClient httpClient = new DefaultHttpClient();

// This may use weak TLS versions and ciphers
HttpGet request = new HttpGet("https://api.example.com/data");
HttpResponse response = httpClient.execute(request);

// Process response...
httpClient.getConnectionManager().shutdown();

// Risk: Connection may negotiate TLS 1.0 with weak ciphers,
// enabling man-in-the-middle attacks
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.ssl.SSLContextBuilder;
import javax.net.ssl.SSLContext;

// SECURE: modern HttpClientBuilder with TLS 1.2+
try {
    // Configure SSL context for TLS 1.2+
    SSLContext sslContext = SSLContextBuilder.create()
            .setProtocol("TLSv1.2")
            .build();
    
    // Configure SSL socket factory with hostname verification
    SSLConnectionSocketFactory sslSocketFactory = 
            new SSLConnectionSocketFactory(sslContext);
    
    // Build secure HTTP client
    CloseableHttpClient httpClient = HttpClientBuilder.create()
            .setSSLSocketFactory(sslSocketFactory)
            .build();
    
    HttpGet request = new HttpGet("https://api.example.com/data");
    try (CloseableHttpResponse response = httpClient.execute(request)) {
        // Process response...
    }
} catch (Exception e) {
    // Handle SSL configuration errors
}

💡 Why This Fix Works

The vulnerable code uses deprecated DefaultHttpClient which may negotiate weak TLS versions (1.0, 1.1) and insecure cipher suites, exposing HTTPS traffic to man-in-the-middle attacks. The secure version uses HttpClientBuilder with explicit TLS 1.2+ configuration and proper hostname verification.

Why it happens

Instantiating DefaultHttpClient which lacks TLS 1.2+ support.

Root causes

Using Deprecated DefaultHttpClient

Instantiating DefaultHttpClient which lacks TLS 1.2+ support.

Weak TLS Version Negotiation

DefaultHttpClient may negotiate TLS 1.0 or 1.1 with weak cipher suites.

Inadequate Hostname Verification

Default hostname verification may be insufficient in older versions.

Fixes

1

Use HttpClientBuilder

Replace DefaultHttpClient with modern HttpClientBuilder API.

2

Configure TLS 1.2+

Explicitly configure SSL context to require TLS 1.2 or higher.

3

Update Apache HttpClient

Update to supported Apache HttpClient version (4.5+ or 5.x).

Detect This Vulnerability in Your Code

Sourcery automatically identifies deprecated defaulthttpclient with weak tls support and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities