CSR Review Request, JDK-8218932 Remove the internal package com.sun.net.ssl

Sean Mullan sean.mullan at oracle.com
Wed Feb 20 20:21:50 UTC 2019

In the Problem section:

"This internal package is not exported in the java.base module, and 
applications cannot use them directly any more."

That's not quite true. It is not exported but strong encapsulation is 
not yet enabled by default at runtime so by default the APIs are still 
accessible. At compile time, they are not, but you can still use the 
--add-exports option to override that. I would explain this a bit more.

Is the compatibility risk really minimal? I think there are some 
projects still using it, but they have had plenty of advance warning to 
switch. Maybe it should be low with some additional explanation.

Why are you adding "sun.security.ssl.SunJSSE" as a new provider name? I 
didn't understand why that was related to this issue or useful.


On 2/13/19 4:51 PM, Xuelei Fan wrote:
> Hi,
> Could I get the CSR reviewed:
>     https://bugs.openjdk.java.net/browse/JDK-8218932
> The internal package com.sun.net.ssl had been deprecated since JDK 1.4, 
> and was not exported in the java.base module since JDK 9.  Application 
> cannot use them directly now.  It should be safe to remove them in JDK 13.
> If you are using the internal package for some reason, please let me 
> know the compatibility impact by the end of Feb 20, 2019.
> Thanks,
> Xuelei

More information about the security-dev mailing list