RFR: 8296820: Add implementation note to SSLContext.getInstance noting subsequent behavior if protocol is disabled
Xue-Lei Andrew Fan
xuelei at openjdk.org
Wed Nov 16 17:42:05 UTC 2022
On Wed, 16 Nov 2022 16:31:54 GMT, Sean Mullan <mullan at openjdk.org> wrote:
> > _Mailing list message from [Xuelei Fan](mailto:xuelei.f at gmail.com) on [security-dev](mailto:security-dev at mail.openjdk.org):_
> > > The wording in this PR specifically refers to the protocol version that
> >
> >
> > was specified. It isn't covering other optional protocols that may be supported.
> > Sorry, I may not make it clear. The protocol specified in SSLContext.getInstance is not TLS protocol version. I think the protocol disabled in security properties refers to protocol version.
>
> Where in the javadoc APIs does it say that?
The Javadoc APIs specification does not say it is referring to TLS protocol version. In the standard algorithm documentation, the word "SSLContext Algorithms" is used and here is an example:
Algorithm Name | Description
-- | --
TLSv1.2 | Supports RFC 5246: TLS version 1.2; may support other SSL/TLS versions
> I think the only assumption you can make is that the SSLContext that is returned supports the protocol version that was specified. Whether or not it supports other versions is completely implementation-specific AFAICT.
Yes. So we cannot assume that the literal SSLContext algorithm is the only supported TLS version for an JSSE provider, including the SunJSSE provider.
-------------
PR: https://git.openjdk.org/jdk/pull/11172
More information about the security-dev
mailing list