Re: RFR: 8296820: Add implementation note to SSLContext.getInstance noting subsequent behavior if protocol is disabled

Tue, 15 Nov 2022 19:27:26 -0800 

On Tue, 15 Nov 2022 22:53:35 GMT, Sean Mullan <mul...@openjdk.org> wrote:

> > BTW, the protocol for SSLContext.getInstance() method is not a TLS 
> > protocol. It is more of a context-algorithm. For example, 
> > SSLContext.getInstance("TLSv1.3") could support TLS 1.0/1.1/1.2/1.3. It may 
> > be not usual, but if TLS 1.3 is disabled, and TLS 1.2 not, the connection 
> > should be able to established with TLS 1.2. In the description, it would be 
> > nice to make it clean what the 'protocol" means in different circumstances.
> 
> Yes, it might be useful to add something like "The returned SSLContext 
> implements the specified protocol version, and may also implement other 
> protocol versions." But I think it could be covered in a separate issue.
> 

I was not meant to add this kind of description.  I meant that the "specified 
protocol" in the description is not a TLS protocol version, and hence it could 
not be referred as TLS protocol version.

> The wording in this PR specifically refers to the protocol version that was 
> specified. It isn't covering other optional protocols that may be supported.

I may be wrong.  But let me check.  For example, the code looks like:
`    SSLContext context = SSLContext.getInstance("TLSv1.3");
`
 
Per "The wording in this PR specifically refers to the protocol version that 
was specified", I guess "the protocol version that was specified" is "TLSv1.3". 
 And for code like `SSLContext context = SSLContext.getInstance("TLSv1.2");` I 
guess the "the protocol version that was specified" is "TLSv1.2".


If the property looks like `jdk.tls.disabledAlgorithms=TLSv1.3`, the 
`"TLSv1.3"` specified in the security property is not the one specified in 
`SSLContext.getInstance("TLSv1.3");`. They are two different concepts.  The one 
in `SSLContext.getInstance("TLSv1.3");` refers to SSLContext protocol, while 
the one  in `jdk.tls.disabledAlgorithms=TLSv1.3` refers to TLS versions.

However, in the following description:

     * ... However, if the specified provider is "SunJSSE",
     * subsequent operations that attempt to use the specified protocol will
     * fail with an {@code SSLHandshakeException}."

if "the specified protocol" is referring to TLS version, it is not correct. 

If I get it right, the context in the example above can be used to establish 
connections for TLS 1.0/1.1/1.2.  The description in the PR , "will fail with 
...", may be not true.

-------------

PR: https://git.openjdk.org/jdk/pull/11172

Reply via email to