RFR: 8296820: Add implementation note to SSLContext.getInstance noting subsequent behavior if protocol is disabled
Sean Mullan
mullan at openjdk.org
Tue Nov 15 22:14:06 UTC 2022
On Tue, 15 Nov 2022 19:12:19 GMT, Xue-Lei Andrew Fan <xuelei at openjdk.org> wrote:
> > It may be not an option to stop at SSLContext.getInstance() if the protocol is disabled rather than delay to handshaking, as an application still can have the protocol back by overriding the default security properties.
>
> I may be wrong. The security property may be just loaded one time, and the follow-on update will not take effect. If it is the case, is it an option to stop at SSLContext.getInstance()?
It is not specified if the property is read only once or multiple times. However, the JDK implementation reads it once and also when it creates an SSLContext, so there is no chance to modify it later.
-------------
PR: https://git.openjdk.org/jdk/pull/11172
More information about the security-dev
mailing list