On Wed, 16 Nov 2022 16:31:54 GMT, Sean Mullan <mul...@openjdk.org> wrote:
> > _Mailing list message from [Xuelei Fan](mailto:xuele...@gmail.com) on > > [security-dev](mailto:security-...@mail.openjdk.org):_ > > > The wording in this PR specifically refers to the protocol version that > > > > > > was specified. It isn't covering other optional protocols that may be > > supported. > > Sorry, I may not make it clear. The protocol specified in > > SSLContext.getInstance is not TLS protocol version. I think the protocol > > disabled in security properties refers to protocol version. > > Where in the javadoc APIs does it say that? The Javadoc APIs specification does not say it is referring to TLS protocol version. In the standard algorithm documentation, the word "SSLContext Algorithms" is used and here is an example: Algorithm Name | Description -- | -- TLSv1.2 | Supports RFC 5246: TLS version 1.2; may support other SSL/TLS versions > I think the only assumption you can make is that the SSLContext that is > returned supports the protocol version that was specified. Whether or not it > supports other versions is completely implementation-specific AFAICT. Yes. So we cannot assume that the literal SSLContext algorithm is the only supported TLS version for an JSSE provider, including the SunJSSE provider. ------------- PR: https://git.openjdk.org/jdk/pull/11172
