Different way to solve 8241047
Philippe Marschall
kustos at gmx.net
Sun Oct 3 15:32:05 UTC 2021
Hello
First I hope this is the right mailing list. Second, I realize I'm late
to the party and this ship may already have sailed.
We're using a third party library from a vendor that calls
SSLSession.getPeerCertificateChain() [1]. The vendor is unlikely to ship
a JDK 17 compatible version of this library this decade.
I was wondering if any consideration was given to implementing
#getPeerCertificateChain by calling #getPeerCertificates [2] and
implementing javax.security.cert.X509Certificate by delegating to
java.security.cert.X509Certificate [3]. I believe this would preserve
source, binary and behavior compatibility while at the same time freeing
implementations from having to deal with javax.security.cert types or
#getPeerCertificateChain.
The third party library we use does support configuring a custom
SSLSocketFactory and we'll likely go with a custom SSLSocketFactory.
[1] https://bugs.openjdk.java.net/browse/JDK-8241047
[2]
https://github.com/marschall/legacy-compatibility-ssl-socket-factory/blob/master/src/main/java/com/github/marschall/legacycompatibilitysslsocketfactory/LegacyCompatibilitySSLSession.java#L86
[3]
https://github.com/marschall/legacy-compatibility-ssl-socket-factory/blob/master/src/main/java/com/github/marschall/legacycompatibilitysslsocketfactory/CertificateAdapter.java
Cheers
Philippe
More information about the security-dev
mailing list