Not a good practice to manipulate System level property and only allow TLS 1.2

[thetasp]

In ApiClient.java Following codes are being executed every time the API Client is created. System.setProperty("https.protocols", "TLSv1.2"); and HttpsURLConnection.setDefaultSSLSocketFactory(ctx.getSocketFactory());

This is not the right approach for the reasons

1. A client library should not change the caller/system level behavior which could create un-wanted impact to the whole system.
2. Setting system level protocols to only support 1.2 prevented the use of other protocol such as TLSv1.3 by the system
3. setProperty changes the global variable and it is not thread safe

The recommended approach should be

1. Check to make sure TLSv1.2 is supported and throw exception if it is not.

[zack-docusign]

Hello @thetasp, thanks for bringing this to our attention. I went ahead and filed DCM-8192 for our engineers to take a look. -Zack DocuSign Support

[thetasp]

Another option to consider is to remove the enforcement of TLS 1.2 from the client and only enforce it from the server. ie. Server only accept TLS 1.2 or above. The SSL Handshake will automatically find the protocol that can be accepted by both parties. This will eliminate SSL vulnerabilities across all connections, not only to those who use docusign client

[vinz]

Hi @thetasp ,

The fix was provided in 2022, Since the functionality is now working as intended, I'm going ahead and closing this issue.

Feel free to open new issue if you still face the same problem or have any new ideas / suggestions.

Thanks, Vinay

[adinaclaudia]

hi @vinz , the funtionality is not working as intended. We even have a bug opened with docusign support which is still in progress since March. The change referenced by @thetasp was pushed on a branch that doesn't seem to have gotten merge in any release.