RFR JDK-8241039, Retire the deprecated SSLSession.getPeerCertificateChain() method

Daniel Fuchs daniel.fuchs at oracle.com
Mon Mar 16 10:37:19 UTC 2020


Hi Xuelei,

HandshakeCompletedEvent.java: typo:

  186                 "This method has retired, pleaase use the " +

Same in SSLSession.java:

  303             "This method has retired, pleaase use the " +

WRT to the HttpClient code I wonder whether the deprecated method
should be kept. On the one hand I'd welcome the removal of
the implemenatation of terminally deprecated methods.
On the other hand the two classes in HttpClient implement simple
delegation over an SSLSession object. Unless we can guarantee that
this object is our own implementation, maybe the delegation should
be kept - and the throwing of UnsupportedOperationException left
up to the delegate object?

I am not sure what's the best course here.

best regards

-- daniel


On 16/03/2020 04:25, Xuelei Fan wrote:
> Hi,
> 
> Could I get the following update reviewed?
> 
> Bug: https://bugs.openjdk.java.net/browse/JDK-8241039
> CSR: https://bugs.openjdk.java.net/browse/JDK-8241047
> webrev: http://cr.openjdk.java.net/~xuelei/8241039/webrev.00/
> 
> In a preview review thread,
> 
> https://mail.openjdk.java.net/pipermail/security-dev/2020-March/021401.html
> 
> I requested to remove the deprecated javax.security.cert APIs in JDK 15. 
>   Be part of the removal, the deprecated interface method 
> javax.net.ssl.SSLSession.getPeerCertificateChain() is also involved.
> 
> As SSLSession.getPeerCertificateChain() is an interface method, third 
> party's implementation must override this method.  If it is removed, 
> there are compiler errors unless the override implementation get removed 
> in third party's source code.
> 
> Maybe, we could retire SSLSession.getPeerCertificateChain() first, and 
> then come back to remove the deprecated javax.security.cert package in a 
> few years.
> 
> In this update, I'm trying to change 
> SSLSession.getPeerCertificateChain() to default method , throwing 
> exception in the default implementation, and removing the real 
> implementation in the SunJSSE provider and related code (Httpclient).
> 
> Thanks,
> Xuelei




More information about the security-dev mailing list