On 3/27/2020 10:36 AM, Chris Hegarty wrote:
Thank you Xuelei, this very helpful.
Sorry, but I am going to ask just a few more clarifying questions to make sure
that we’re on the same page.
On 27 Mar 2020, at 16:23, Xuelei Fan <xuelei....@oracle.com> wrote:
On 3/27/2020 5:52 AM, Chris Hegarty wrote:
Xuelei,
Before commenting further on the interaction of the HTTP Client with various
contorted configurations, I would like to get a better understanding of the
`jdk.tls.client.protocols` property.
Is there a specification or other documentation describing
`jdk.tls.client.protocols` ?
See the jdk.tls.client.protocols line in table 'Table 8-3 System Properties and
Customized Items" in JSSE Reference Guides:
"https://docs.oracle.com/en/java/javase/14/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-A41282C3-19A3-400A-A40F-86F4DA22ABA9
For your quick reference, I copied the note here:
---------------
Customized Item:
Default handshaking protocols for TLS/DTLS clients.
Notes:
To enable specific SunJSSE protocols on the client, specify them in a
comma-separated list within quotation marks; all other supported protocols are
not enabled on the client
“supported” here means protocols that are supported by the provider, and may be
used within a specific context. This translates, for the default SSLContext, to
the API call getSupportedSSLParameters().getProtocols(), right?
Yes.
getSupportedSSLParameters().getProtocols() returns a superset of
getDefaultSSLParameters().getProtocols(). Conversely,
getDefaultSSLParameters().getProtocols() is a strict subset of
getSupportedSSLParameters().getProtocols(), right?
Yes.
The `jdk.tls.client.protocols` property has no affect on
getSupportedSSLParameters().getProtocols() only
getDefaultSSLParameters().getProtocols(), right?
Yes.
In which case, getDefaultSSLParameters().getProtocols() returns the value of
`jdk.tls.client.protocols`.
For example,
If jdk.tls.client.protocols="TLSv1,TLSv1.1", then the default protocol
settings on the client for TLSv1 and TLSv1.1 are enabled, while SSLv3, TLSv1.2, TLSv1.3,
and SSLv2Hello are not enabled
If jdk.tls.client.protocols="DTLSv1.2" , then the protocol setting on the
client for DTLS1.2 is enabled, while DTLS1.0 is not enabled
---------------
Seems that the term “client” here is referring to client-initiated exchanges,
rather than any specific technology.
The assumption, which is reasonable, is that “clients” will use the default
context. Again, this is reasonable default out-of-the-box behavior.
The client refer to the client side SSLSocket or SSLEngine created with
the default SSLContext. or example:
SSLContext sslContext = SSLContext.getInstance("TLS");
SSLEngine sslEngine = sslContext.createSSLEngine();
sslEngine.setUseClientMode(true);
The sslEngine object is a client that impacted by the property.
While if
sslEngine.setUseClientMode(false);
then the object should not be impacted by the property.
Xuelei
It is my understanding that the property only affects the *default* protocol’s ( not
the supported protocols ) of the *default* context. That is, the context returned by
`SSLContext.getInstance("Default”)`,
It is correct that the property impact the default SSLContext only. The
default SSLContext instance could get from:
SSLContext.getInstance("Default");
SSLContext.getInstance("TLS");
SSLContext.getInstance("DTLS”);
Thanks for this clarification.
and the protocol values returned by the following invocation on that context
`getDefaultSSLParameters().getProtocols()`. Is this correct? If not, what does
it do?
Yes.
Thanks,
-Chris.
