Different way to solve 8241047

Sean Mullan sean.mullan at oracle.com
Tue Oct 5 14:27:27 UTC 2021 

Hi Philippe,

On 10/3/21 11:32 AM, Philippe Marschall wrote:
> Hello
> 
> First I hope this is the right mailing list. Second, I realize I'm late
> to the party and this ship may already have sailed.

Yes, this is the right mailing list.

> We're using a third party library from a vendor that calls
> SSLSession.getPeerCertificateChain() [1]. The vendor is unlikely to ship
> a JDK 17 compatible version of this library this decade.

The method in question has not been removed from 17 so their code should 
continue to work as long as the deprecated methods continue to be 
overridden. It's unfortunate that the 3rd party library cannot be 
changed - is it active? The SSLSession.getPeerCertificateChain() has 
been deprecated since Java 9 and marked for removal since Java 13, and 
there has been a replacement API available 
SSLSession.getPeerCertificates() since Java 1.4. That's a lot of time to 
migrate.

> I was wondering if any consideration was given to implementing
> #getPeerCertificateChain by calling #getPeerCertificates [2] and
> implementing javax.security.cert.X509Certificate by delegating to
> java.security.cert.X509Certificate [3]. I believe this would preserve
> source, binary and behavior compatibility while at the same time freeing
> implementations from having to deal with javax.security.cert types or
> #getPeerCertificateChain.

It is an interesting suggestion and I can see your point. I don't think 
there is any fundamental reason we could not change the default 
implementation of the SSLSession.getPeerCertificateChain() method, but 
since it would be a change to the specification, it could not be 
backported to 17. Also, these methods are marked for removal, so 
changing the default implementation at this point probably doesn't add 
much value.

--Sean

> The third party library we use does support configuring a custom
> SSLSocketFactory and we'll likely go with a custom SSLSocketFactory.
> 
>    [1] https://bugs.openjdk.java.net/browse/JDK-8241047
>    [2]
> https://github.com/marschall/legacy-compatibility-ssl-socket-factory/blob/master/src/main/java/com/github/marschall/legacycompatibilitysslsocketfactory/LegacyCompatibilitySSLSession.java#L86
>    [3]
> https://github.com/marschall/legacy-compatibility-ssl-socket-factory/blob/master/src/main/java/com/github/marschall/legacycompatibilitysslsocketfactory/CertificateAdapter.java
> 
> Cheers
> Philippe
>

More information about the security-dev mailing list