Re: RFR JDK-8239595/JDK-8239594 : ssl context version is not respected/jdk.tls.client.protocols is not respected

Fri, 27 Mar 2020 05:54:00 -0700 

Xuelei,

Before commenting further on the interaction of the HTTP Client with various 
contorted configurations, I would like to get a better understanding of the 
`jdk.tls.client.protocols` property. 

Is there a specification or other documentation describing 
`jdk.tls.client.protocols` ?

It is my understanding that the property only affects the *default* protocol’s 
( not the supported protocols ) of the *default* context. That is, the context 
returned by `SSLContext.getInstance("Default”)`, and the protocol values 
returned by the following invocation on that context 
`getDefaultSSLParameters().getProtocols()`. Is this correct? If not, what does 
it do?

-Chris.

> On 26 Mar 2020, at 16:58, Xuelei Fan <xuelei....@oracle.com> wrote:
> 
> With this update, the logic looks like: if TLSv1.3 is not enabled in the 
> SSLContext, use TLSv1.2 instead;  Otherwise, use TLSv1.3 and TLSv1.2.
> 
> There may be a couple of issues:
> 1. TLSv1.2 may be not enabled, although TLSv1.3 is enabled.
> For example:
>   System.setProperty("jdk.tls.client.protocols", "TLSv1.3")
>   System.setProperty("jdk.tls.client.protocols", "TLSv1.1, TLSv1.0")
> 
> 2. TLSv1.2 may be not supported in the SSLContext.
> For example:
>   SSLContext context = SSLContext.getInstance("DTLS");
>   HttpClient.newBuilder().sslContext(context)...
> 
> 3. The application may not want to use TLS 1.2.
> For example:
>   System.setProperty("jdk.tls.client.protocols", "TLSv1.1, TLSv1.0")
> 
> The System property may be shared by code other than httpclient.  So the 
> setting may not consider the impact on httpclient.
> 
> I may use enabled protocols only. If no TLSv1.2/TLSv1.3, I may use an empty 
> protocol array, and test to see what happens in the httpclient implementation 
> stack.
> 
> Xuelei
> 
> On 3/26/2020 9:28 AM, Sean Mullan wrote:
>> Cross-posting to security-dev as this involves TLS/SSL configuration.
>> --Sean
>> On 3/26/20 10:02 AM, rahul.r.ya...@oracle.com wrote:
>>> Hello,
>>> 
>>> Request to have my fix reviewed for issues:
>>> 
>>>      JDK-8239595 : ssl context version is not respected
>>>      JDK-8239594 : jdk.tls.client.protocols is not respected
>>> 
>>> The fix updates 
>>> jdk.internal.net.http.HttpClientImpl.getDefaultParams(SSLContext ctx)
>>> to use ctx.getDefaultSSLParameters()instead of 
>>> ctx.getSupportedSSLParameters(),
>>> as the latter does not respect the context parameters set by the user.
>>> 
>>> Issue: https://bugs.openjdk.java.net/browse/JDK-8239595
>>> Issue: https://bugs.openjdk.java.net/browse/JDK-8239594
>>> 
>>> Webrev: 
>>> http://cr.openjdk.java.net/~jboes/rayayada/webrevs/8239595/webrev.00/
>>> 
>>> -- Rahul

Reply via email to