RFR: 8296820: Add implementation note to SSLContext.getInstance noting subsequent behavior if protocol is disabled

Xue-Lei Andrew Fan xuelei at openjdk.org
Wed Nov 16 03:26:56 UTC 2022 

On Tue, 15 Nov 2022 22:53:35 GMT, Sean Mullan <mullan at openjdk.org> wrote:

> > BTW, the protocol for SSLContext.getInstance() method is not a TLS protocol. It is more of a context-algorithm. For example, SSLContext.getInstance("TLSv1.3") could support TLS 1.0/1.1/1.2/1.3. It may be not usual, but if TLS 1.3 is disabled, and TLS 1.2 not, the connection should be able to established with TLS 1.2. In the description, it would be nice to make it clean what the 'protocol" means in different circumstances.
> 
> Yes, it might be useful to add something like "The returned SSLContext implements the specified protocol version, and may also implement other protocol versions." But I think it could be covered in a separate issue.
> 

I was not meant to add this kind of description.  I meant that the "specified protocol" in the description is not a TLS protocol version, and hence it could not be referred as TLS protocol version.

> The wording in this PR specifically refers to the protocol version that was specified. It isn't covering other optional protocols that may be supported.

I may be wrong.  But let me check.  For example, the code looks like:
`    SSLContext context = SSLContext.getInstance("TLSv1.3");
`
 
Per "The wording in this PR specifically refers to the protocol version that was specified", I guess "the protocol version that was specified" is "TLSv1.3".  And for code like `SSLContext context = SSLContext.getInstance("TLSv1.2");` I guess the "the protocol version that was specified" is "TLSv1.2".


If the property looks like `jdk.tls.disabledAlgorithms=TLSv1.3`, the `"TLSv1.3"` specified in the security property is not the one specified in `SSLContext.getInstance("TLSv1.3");`. They are two different concepts.  The one in `SSLContext.getInstance("TLSv1.3");` refers to SSLContext protocol, while the one  in `jdk.tls.disabledAlgorithms=TLSv1.3` refers to TLS versions.

However, in the following description:

     * ... However, if the specified provider is "SunJSSE",
     * subsequent operations that attempt to use the specified protocol will
     * fail with an {@code SSLHandshakeException}."

if "the specified protocol" is referring to TLS version, it is not correct. 

If I get it right, the context in the example above can be used to establish connections for TLS 1.0/1.1/1.2.  The description in the PR , "will fail with ...", may be not true.

-------------

PR: https://git.openjdk.org/jdk/pull/11172

More information about the security-dev mailing list