A new proposal to add methods to HttpsURLConnection to access SSLSession

Chris Hegarty chris.hegarty at oracle.com
Wed Oct 31 15:52:29 UTC 2018


Xuelei,

On 30/10/18 20:55, Xuelei Fan wrote:
> Hi,
> 
> For the current HttpsURLConnection, there is not much security 
> parameters exposed in the public APIs.  An application may need richer 
> information for the underlying TLS connections, for example the 
> negotiated TLS protocol version.
> 
> Please let me know if you have concerns to add a new method 
> HttpsURLConnection.getSSLSession() and deprecate the duplicated methods, 
> by the end of Nov. 2, 2018.
> 
> Here is the proposal:
>      https://bugs.openjdk.java.net/browse/JDK-8213161
> 
> Thanks,
> Xuelei

The new method looks fine.

On the deprecation, minimally the annotation should contain
the "since" element, which will have a value of `12`.

Also, I wonder, now that I see the spec, whether or not it is
actually a good idea to deprecate these methods. The reason
I ask this is that the new method, getSSLSession, can throw
UOE, which effectively makes it an optional method. Access
to the specific security parameters provided by the existing
methods is non-optional. This is a clear difference, and
possibly a reason, for folk not interested in the "new"
parameters, to continue to use the existing methods.

-Chris



More information about the security-dev mailing list