Could we backport the default SSLSession.getPeerCertificateChain method to 11?
Eirik Bjørsnøs
eirbjo at gmail.com
Fri Apr 14 12:00:42 UTC 2023
Hi,
I've been reaching out to various open source projects in an effort to
reduce the ecosystem risk of removing the javax.security.cert package, see
JDK-8227024 [1].
I contributed a patch to Tomcat, which was accepted, but not backported to
versions running on Java 11. Since Java 11 does not have the default
implementation for SSLSession.getPeerCertificateChain, any implementation
not overriding this method would give a compilation error.
We observe a similar situation in JBoss Undertow/Wildfly, where my PR to
remove javax.security.cert compiles fine under Java 17, but fails to
compile on Java 11:
SNISSLEngine.java:[211,69] error: <anonymous
> io.undertow.protocols.ssl.SNISSLEngine$InitialState$1> is not abstract and
> does not override abstract method getPeerCertificateChain() in SSLSession
So I was wondering if at all it would be possible to backport the
default SSLSession.getPeerCertificateChain method to 11? It seems this
would help the ecosystem move forward in reducing the dependency on
javax.security.cert.
What would the compatibility concerns for such a backport be? Is it at all
possible? The method was deprecated in Java 9, for-removal in Java 13.
Thanks,
Eirik.
[1] https://bugs.openjdk.org/browse/JDK-8227024
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20230414/46913fda/attachment.htm>
More information about the security-dev
mailing list