A new proposal to add methods to HttpsURLConnection to access SSLSession
Chris Hegarty
chris.hegarty at oracle.com
Wed Oct 31 15:52:29 UTC 2018
Xuelei,
On 30/10/18 20:55, Xuelei Fan wrote:
> Hi,
>
> For the current HttpsURLConnection, there is not much security
> parameters exposed in the public APIs. An application may need richer
> information for the underlying TLS connections, for example the
> negotiated TLS protocol version.
>
> Please let me know if you have concerns to add a new method
> HttpsURLConnection.getSSLSession() and deprecate the duplicated methods,
> by the end of Nov. 2, 2018.
>
> Here is the proposal:
> https://bugs.openjdk.java.net/browse/JDK-8213161
>
> Thanks,
> Xuelei
The new method looks fine.
On the deprecation, minimally the annotation should contain
the "since" element, which will have a value of `12`.
Also, I wonder, now that I see the spec, whether or not it is
actually a good idea to deprecate these methods. The reason
I ask this is that the new method, getSSLSession, can throw
UOE, which effectively makes it an optional method. Access
to the specific security parameters provided by the existing
methods is non-optional. This is a clear difference, and
possibly a reason, for folk not interested in the "new"
parameters, to continue to use the existing methods.
-Chris
More information about the security-dev
mailing list