Aftermath of TLS 1.3 in Java 11 with wrapped IOExceptions

Rory O'Donnell rory.odonnell at oracle.com
Mon Dec 2 08:37:44 UTC 2019


On 01/12/2019 13:37, Michael Osipov wrote:
> Hi folks,
>
> I am one of the Apache HttpComponents committers and we get these nags
> once in a while:
>
> -
> https://github.com/apache/httpcomponents-client/pull/178#discussion_r351492056 
>
> - https://issues.apache.org/jira/browse/HTTPCLIENT-2032
> - https://stackoverflow.com/q/56306216/696632
>
> It all boils down to that IOExceptions are not thrown as-is after the
> introduction of TLS 1.3 in Java 11, but now wrapped in SSLExceptions
> (partially fixed by JDK-8214339). This is counterproductive.
>
> Questions:
>
> * Why has this change been made?
> * Why has the incompatible change not properly communicated to the
> users/community?
> * Can this be restored back to Java 8 behavior for 15 (14 not likely?!)
> and 11u?
>
> Looking into [1] the following requirements have been broken:
>>   - Verify that the implementation does not break backward 
>> compatibility in unexpected ways.
>>   - Verify that the implementation does not introduce any unexpected 
>> interoperability issues.
>
> @Rory, can you engage also with Apache HttpComponents? We are not happy
> with the situation.
> I see your mails on other MLs like Maven and Tomcat where I commit too.

Hi Michel, we communicate directly with one of the chairpersons, I'll 
pass on your findings.

Rgds,Rory

>
> Regards,
>
> Michael
>
> [1] https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8145252

-- 
Rgds, Rory O'Donnell
Quality Engineering Manager
Oracle EMEA, Dublin, Ireland



More information about the security-dev mailing list