RFR: 8326381: com.sun.net.httpserver.HttpsParameters and SSLStreams incorrectly handle needClientAuth and wantClientAuth [v3]

Jaikiran Pai jpai at openjdk.org
Thu Feb 22 15:41:55 UTC 2024 

On Thu, 22 Feb 2024 15:23:13 GMT, Jaikiran Pai <jpai at openjdk.org> wrote:

>> Can I please get a review of this change which proposes to fix https://bugs.openjdk.org/browse/JDK-8326381?
>> 
>> As noted in the JBS issue, the implementation in `setNeedClientAuth()` and `setWantClientAuth()` of `com.sun.net.httpserver.HttpsParameters` wasn't matching the API specification. The commit in this PR fixes that issue and it now matches the API specification as well as what is done in `javax.net.ssl.SSLParameters` class.
>> 
>> Additionally, as noted in the JBS issue, the (internal class) `sun.net.httpserver.SSLStreams` had a bug where it could end up resetting the `needClientAuth` flag on the `SSLEngine` because of the way the `setNeedClientAuth()` and `setWantClientAuth()` methods were being called on the `SSLEngine`. This too has been fixed in this PR.
>> 
>> A new jtreg test has been introduced to reproduce the issue in the `HttpsParameters` class and verify this fix.
>
> Jaikiran Pai has updated the pull request incrementally with two additional commits since the last revision:
> 
>  - introduce a test to verify the server honours needClientAuth and wantClientAuth when set through HttpsParameters
>  - deprecate the SSL parameters related methods on HttpsParameter

src/jdk.httpserver/share/classes/com/sun/net/httpserver/HttpsParameters.java line 94:

> 92:      *
> 93:      * @deprecated It is recommended that the SSL parameters be configured and
> 94:      * read through the use of {@link SSLParameters}.

One thing of importance here is that the `HttpsParameters` class has a `setSSLParameters(SSLParameters x)` method but doesn't have a `SSLParameters getSSLParameters()` method. So even though this deprecation message says "... read through the use of SSLParameters", the `HttpsParameters` class itself doesn't provide the `SSLParameters` instance to read from. But that should be OK, since the `HttpsParameters` class is just an intermediary for configuring the `HttpsConfigurator`. The server on each new connection will construct a fresh instance of `HttpsParameters` and call the (application specific) `HttpsConfigurator.configure(HttpsParameters p)` where the application can construct and set a `SSLParameters` of choice on the `HttpsParameters`. So the application code already has access to the `SSLParameters` through which it can read the necessary SSL parameters.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/17940#discussion_r1499449320

More information about the net-dev mailing list