Hi Philippe,
On 10/3/21 11:32 AM, Philippe Marschall wrote:
Hello
First I hope this is the right mailing list. Second, I realize I'm late
to the party and this ship may already have sailed.
Yes, this is the right mailing list.
We're using a third party library from a vendor that calls
SSLSession.getPeerCertificateChain() [1]. The vendor is unlikely to ship
a JDK 17 compatible version of this library this decade.
The method in question has not been removed from 17 so their code should
continue to work as long as the deprecated methods continue to be
overridden. It's unfortunate that the 3rd party library cannot be
changed - is it active? The SSLSession.getPeerCertificateChain() has
been deprecated since Java 9 and marked for removal since Java 13, and
there has been a replacement API available
SSLSession.getPeerCertificates() since Java 1.4. That's a lot of time to
migrate.
I was wondering if any consideration was given to implementing
#getPeerCertificateChain by calling #getPeerCertificates [2] and
implementing javax.security.cert.X509Certificate by delegating to
java.security.cert.X509Certificate [3]. I believe this would preserve
source, binary and behavior compatibility while at the same time freeing
implementations from having to deal with javax.security.cert types or
#getPeerCertificateChain.
It is an interesting suggestion and I can see your point. I don't think
there is any fundamental reason we could not change the default
implementation of the SSLSession.getPeerCertificateChain() method, but
since it would be a change to the specification, it could not be
backported to 17. Also, these methods are marked for removal, so
changing the default implementation at this point probably doesn't add
much value.
--Sean
The third party library we use does support configuring a custom
SSLSocketFactory and we'll likely go with a custom SSLSocketFactory.
[1] https://bugs.openjdk.java.net/browse/JDK-8241047
[2]
https://github.com/marschall/legacy-compatibility-ssl-socket-factory/blob/master/src/main/java/com/github/marschall/legacycompatibilitysslsocketfactory/LegacyCompatibilitySSLSession.java#L86
[3]
https://github.com/marschall/legacy-compatibility-ssl-socket-factory/blob/master/src/main/java/com/github/marschall/legacycompatibilitysslsocketfactory/CertificateAdapter.java
Cheers
Philippe
