On 15/04/2023 10:15, Eirik Bjørsnøs wrote:
Hi,
JDK-8227024 [1] and the associated CSR JDK-8227395 [2] suggests
removing the deprecated classes in javax.security.cert.
The CSR was withdrawn last year following ecosystem compatibility
concerns:
Given the compatibility risks/impacts with existing providers and
JSSE implementations, we've decided to withdraw this CSR for the
time being.
I reached out to the BouncyCastle project [3] and they are basically
OK with the OpenJDK project to go ahead and remove the APIs:
It's a just cause, so go ahead and deal with it, I think all we
need is
someone to let us know when it's done and point us at a JVM so we can
start organising the new jar.
I have also contributed the following PRs to make Tomcat, Netty,
Vert.x and Undertow aware of the plans of removal and also to provide
the actual code changes:
https://github.com/apache/tomcat/pull/608
https://github.com/netty/netty/pull/13326
https://github.com/eclipse-vertx/vert.x/pull/4665
https://github.com/undertow-io/undertow/pull/1468
Implementing these PRs was mostly straightforward, indicating that the
impact in these projects would be relatively low if these APIs would
be removed today.
I think we are in a bit of a knotty situation where the ecosystem is
now basically just waiting for OpenJDK to actually remove these APIs.
Based on my recent interaction with these projects I'm hopeful that
the ecosystem impact is lower than what has been assessed previously.
I believe we should go ahead with this removal, sooner rather than later.
Any thoughts?
Kudos for reaching out the BC and for creating PRs to several projects
to remove their usage, this is a great way to contribute!
Removing anything is hard. The changes in JDK-8241047 were intended to
allow SSLSession implementations drop their dependence on
javax.security.cert.X509Certificate but it may take time if
implementations are still expecting to be able to compile to a wide
range of releases that include JDK 14 or older. I also be concerned that
existing releases of this frameworks/libs with dependences on
javax.security.cert.X509Certificate will be in use for some time. I'll
defer to Sean and Brad but it feels like it might have to stay around
for another few releases at least.
-Alan.
