RFR JDK-8241039, Retire the deprecated SSLSession.getPeerCertificateChain() method

Mon Mar 16 16:31:12 UTC 2020

On 3/16/2020 3:37 AM, Daniel Fuchs wrote:
> Hi Xuelei,
> 
> HandshakeCompletedEvent.java: typo:
> 
>   186                 "This method has retired, pleaase use the " +
> 
> Same in SSLSession.java:
> 
>   303             "This method has retired, pleaase use the " +
> 
I removed the sections per Alan's comment.

> WRT to the HttpClient code I wonder whether the deprecated method
> should be kept. On the one hand I'd welcome the removal of
> the implemenatation of terminally deprecated methods.
> On the other hand the two classes in HttpClient implement simple
> delegation over an SSLSession object. Unless we can guarantee that
> this object is our own implementation, maybe the delegation should
> be kept - and the throwing of UnsupportedOperationException left
> up to the delegate object?
> 
> I am not sure what's the best course here.
> 
There are compiler error if SSLSession.getPeerCertificateChain() get 
removed, while the implementation override it.  As one of the goals, the 
implementation, especially third party provider that is intended to 
support multiple releases, should remove override implementation as soon 
as possible, without waiting for the removal of the 
SSLSession.getPeerCertificateChain() method.  Otherwise, there are still 
compiler error when we want to remove this interface method in the future.

It should be fine to keep the HttpClient implementation as it only ship 
with the current JDK release.  But if you don't mind, I would like to 
remove it to show an example about how to handle with the method in 
third party's source code.

Thanks,
Xuelei

> best regards
> 
> -- daniel
> 
> 
> On 16/03/2020 04:25, Xuelei Fan wrote:
>> Hi,
>>
>> Could I get the following update reviewed?
>>
>> Bug: https://bugs.openjdk.java.net/browse/JDK-8241039
>> CSR: https://bugs.openjdk.java.net/browse/JDK-8241047
>> webrev: http://cr.openjdk.java.net/~xuelei/8241039/webrev.00/
>>
>> In a preview review thread,
>>
>> https://mail.openjdk.java.net/pipermail/security-dev/2020-March/021401.html 
>>
>>
>> I requested to remove the deprecated javax.security.cert APIs in JDK 
>> 15.   Be part of the removal, the deprecated interface method 
>> javax.net.ssl.SSLSession.getPeerCertificateChain() is also involved.
>>
>> As SSLSession.getPeerCertificateChain() is an interface method, third 
>> party's implementation must override this method.  If it is removed, 
>> there are compiler errors unless the override implementation get 
>> removed in third party's source code.
>>
>> Maybe, we could retire SSLSession.getPeerCertificateChain() first, and 
>> then come back to remove the deprecated javax.security.cert package in 
>> a few years.
>>
>> In this update, I'm trying to change 
>> SSLSession.getPeerCertificateChain() to default method , throwing 
>> exception in the default implementation, and removing the real 
>> implementation in the SunJSSE provider and related code (Httpclient).
>>
>> Thanks,
>> Xuelei
> 