Could we backport the default SSLSession.getPeerCertificateChain method to 11?
Sean Mullan
sean.mullan at oracle.com
Fri Apr 14 19:18:00 UTC 2023
Hi Eirik,
On 4/14/23 8:00 AM, Eirik Bjørsnøs wrote:
> Hi,
>
> I've been reaching out to various open source projects in an effort to
> reduce the ecosystem risk of removing the javax.security.cert package,
> see JDK-8227024 [1].
>
> I contributed a patch to Tomcat, which was accepted, but not backported
> to versions running on Java 11. Since Java 11 does not have the default
> implementation for SSLSession.getPeerCertificateChain, any
> implementation not overriding this method would give a compilation error.
>
> We observe a similar situation in JBoss Undertow/Wildfly, where my PR to
> remove javax.security.cert compiles fine under Java 17, but fails to
> compile on Java 11:
>
> SNISSLEngine.java:[211,69] error: <anonymous
> io.undertow.protocols.ssl.SNISSLEngine$InitialState$1> is not
> abstract and does not override abstract method
> getPeerCertificateChain() in SSLSession
>
>
> So I was wondering if at all it would be possible to backport the
> default SSLSession.getPeerCertificateChain method to 11? It seems this
> would help the ecosystem move forward in reducing the dependency on
> javax.security.cert.
In order to backport that change to Java SE 11, an MR (Maintenance
Release of Java SE) would be required. See the CSR [1] for more details,
which has a scope of SE.
There is an MR for Java SE 11 that is in progress [2]. Unfortunately, it
is too late and this issue is not critical enough to justify it being
added at this point.
>
> What would the compatibility concerns for such a backport be? Is it at
> all possible? The method was deprecated in Java 9, for-removal in Java 13.
Not possible right now AFAICT, but I will keep it in mind as a candidate
API change for the next MR, if and when that may occur.
--Sean
[1] https://bugs.openjdk.org/browse/JDK-8241047
[2] https://jcp.org/en/jsr/detail?id=384
>
> Thanks,
> Eirik.
>
> [1] https://bugs.openjdk.org/browse/JDK-8227024
> <https://bugs.openjdk.org/browse/JDK-8227024>
>
>
More information about the security-dev
mailing list