RFR JDK-8239595/JDK-8239594 : ssl context version is not respected/jdk.tls.client.protocols is not respected
Xuelei Fan
xuelei.fan at oracle.com
Thu Mar 26 16:58:49 UTC 2020
With this update, the logic looks like: if TLSv1.3 is not enabled in the
SSLContext, use TLSv1.2 instead; Otherwise, use TLSv1.3 and TLSv1.2.
There may be a couple of issues:
1. TLSv1.2 may be not enabled, although TLSv1.3 is enabled.
For example:
System.setProperty("jdk.tls.client.protocols", "TLSv1.3")
System.setProperty("jdk.tls.client.protocols", "TLSv1.1, TLSv1.0")
2. TLSv1.2 may be not supported in the SSLContext.
For example:
SSLContext context = SSLContext.getInstance("DTLS");
HttpClient.newBuilder().sslContext(context)...
3. The application may not want to use TLS 1.2.
For example:
System.setProperty("jdk.tls.client.protocols", "TLSv1.1, TLSv1.0")
The System property may be shared by code other than httpclient. So the
setting may not consider the impact on httpclient.
I may use enabled protocols only. If no TLSv1.2/TLSv1.3, I may use an
empty protocol array, and test to see what happens in the httpclient
implementation stack.
Xuelei
On 3/26/2020 9:28 AM, Sean Mullan wrote:
> Cross-posting to security-dev as this involves TLS/SSL configuration.
>
> --Sean
>
> On 3/26/20 10:02 AM, rahul.r.yadav at oracle.com wrote:
>> Hello,
>>
>> Request to have my fix reviewed for issues:
>>
>> JDK-8239595 : ssl context version is not respected
>> JDK-8239594 : jdk.tls.client.protocols is not respected
>>
>> The fix updates
>> jdk.internal.net.http.HttpClientImpl.getDefaultParams(SSLContext ctx)
>> to use ctx.getDefaultSSLParameters()instead of
>> ctx.getSupportedSSLParameters(),
>> as the latter does not respect the context parameters set by the user.
>>
>> Issue: https://bugs.openjdk.java.net/browse/JDK-8239595
>> Issue: https://bugs.openjdk.java.net/browse/JDK-8239594
>>
>> Webrev:
>> http://cr.openjdk.java.net/~jboes/rayayada/webrevs/8239595/webrev.00/
>>
>> -- Rahul
More information about the security-dev
mailing list