diff --git a/RELEASE_NOTES.txt b/RELEASE_NOTES.txt
index a0dd7d4bc..0fe9886ea 100644
--- a/RELEASE_NOTES.txt
+++ b/RELEASE_NOTES.txt
@@ -6,7 +6,10 @@
   Contributed by Gary Gregory <ggregory at apache.org>
 
 * [HTTPCLIENT-1858] Alleviate GC pressure due to wire logging.
+  Contributed by Gary Gregory <ggregory at apache.org>
 
+* [HTTPASYNC-124] Add doPrivileged blocks to async client and connection manager builders
+  Contributed by Jay Modi <jay at elastic dot co>
 
 Release 5.0-ALPHA2
 -------------------
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/HttpAsyncClientBuilder.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/HttpAsyncClientBuilder.java
index 0a7e02d48..68848496e 100644
--- a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/HttpAsyncClientBuilder.java
+++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/async/HttpAsyncClientBuilder.java
@@ -30,6 +30,8 @@ package org.apache.hc.client5.http.impl.async;
 import java.io.Closeable;
 import java.io.IOException;
 import java.net.ProxySelector;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.LinkedList;
@@ -749,7 +751,7 @@ public class HttpAsyncClientBuilder {
         String userAgentCopy = this.userAgent;
         if (userAgentCopy == null) {
             if (systemProperties) {
-                userAgentCopy = System.getProperty("http.agent");
+                userAgentCopy = getProperty("http.agent", null);
             }
             if (userAgentCopy == null) {
                 userAgentCopy = VersionInfo.getSoftwareInfo("Apache-HttpAsyncClient",
@@ -831,8 +833,14 @@ public class HttpAsyncClientBuilder {
             if (proxy != null) {
                 routePlannerCopy = new DefaultProxyRoutePlanner(proxy, schemePortResolverCopy);
             } else if (systemProperties) {
+                final ProxySelector defaultProxySelector = AccessController.doPrivileged(new PrivilegedAction<ProxySelector>() {
+                    @Override
+                    public ProxySelector run() {
+                        return ProxySelector.getDefault();
+                    }
+                });
                 routePlannerCopy = new SystemDefaultRoutePlanner(
-                        schemePortResolverCopy, ProxySelector.getDefault());
+                        schemePortResolverCopy, defaultProxySelector);
             } else {
                 routePlannerCopy = new DefaultRoutePlanner(schemePortResolverCopy);
             }
@@ -874,7 +882,7 @@ public class HttpAsyncClientBuilder {
         ConnectionReuseStrategy reuseStrategyCopy = this.reuseStrategy;
         if (reuseStrategyCopy == null) {
             if (systemProperties) {
-                final String s = System.getProperty("http.keepAlive", "true");
+                final String s = getProperty("http.keepAlive", "true");
                 if ("true".equalsIgnoreCase(s)) {
                     reuseStrategyCopy = DefaultConnectionReuseStrategy.INSTANCE;
                 } else {
@@ -998,4 +1006,13 @@ public class HttpAsyncClientBuilder {
                 closeablesCopy);
     }
 
+    private String getProperty(final String key, final String defaultValue) {
+        return AccessController.doPrivileged(new PrivilegedAction<String>() {
+            @Override
+            public String run() {
+                return System.getProperty(key, defaultValue);
+            }
+        });
+    }
+
 }
diff --git a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/nio/PoolingAsyncClientConnectionManagerBuilder.java b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/nio/PoolingAsyncClientConnectionManagerBuilder.java
index cce713d64..2af512ce3 100644
--- a/httpclient5/src/main/java/org/apache/hc/client5/http/impl/nio/PoolingAsyncClientConnectionManagerBuilder.java
+++ b/httpclient5/src/main/java/org/apache/hc/client5/http/impl/nio/PoolingAsyncClientConnectionManagerBuilder.java
@@ -37,6 +37,9 @@ import org.apache.hc.core5.pool.ConnPoolListener;
 import org.apache.hc.core5.pool.ConnPoolPolicy;
 import org.apache.hc.core5.util.TimeValue;
 
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+
 /**
  * Builder for {@link PoolingAsyncClientConnectionManager} instances.
  * <p>
@@ -176,10 +179,7 @@ public class PoolingAsyncClientConnectionManagerBuilder {
         @SuppressWarnings("resource")
         final PoolingAsyncClientConnectionManager poolingmgr = new PoolingAsyncClientConnectionManager(
                 RegistryBuilder.<TlsStrategy>create()
-                        .register("https", tlsStrategy != null ? tlsStrategy :
-                                (systemProperties ?
-                                        H2TlsStrategy.getSystemDefault() :
-                                        H2TlsStrategy.getDefault()))
+                        .register("https", getTlsStrategy())
                         .build(),
                 schemePortResolver,
                 dnsResolver,
@@ -196,4 +196,18 @@ public class PoolingAsyncClientConnectionManagerBuilder {
         return poolingmgr;
     }
 
+    private TlsStrategy getTlsStrategy() {
+        if (tlsStrategy != null) {
+            return tlsStrategy;
+        } else if (systemProperties) {
+            return AccessController.doPrivileged(new PrivilegedAction<TlsStrategy>() {
+                @Override
+                public TlsStrategy run() {
+                    return H2TlsStrategy.getSystemDefault();
+                }
+            });
+        } else {
+            return H2TlsStrategy.getDefault();
+        }
+    }
 }