With this update, the logic looks like: if TLSv1.3 is not enabled in the
SSLContext, use TLSv1.2 instead; Otherwise, use TLSv1.3 and TLSv1.2.
There may be a couple of issues:
1. TLSv1.2 may be not enabled, although TLSv1.3 is enabled.
For example:
System.setProperty("jdk.tls.client.protocols", "TLSv1.3")
System.setProperty("jdk.tls.client.protocols", "TLSv1.1, TLSv1.0")
2. TLSv1.2 may be not supported in the SSLContext.
For example:
SSLContext context = SSLContext.getInstance("DTLS");
HttpClient.newBuilder().sslContext(context)...
3. The application may not want to use TLS 1.2.
For example:
System.setProperty("jdk.tls.client.protocols", "TLSv1.1, TLSv1.0")
The System property may be shared by code other than httpclient. So the
setting may not consider the impact on httpclient.
I may use enabled protocols only. If no TLSv1.2/TLSv1.3, I may use an
empty protocol array, and test to see what happens in the httpclient
implementation stack.
Xuelei
On 3/26/2020 9:28 AM, Sean Mullan wrote:
Cross-posting to security-dev as this involves TLS/SSL configuration.
--Sean
On 3/26/20 10:02 AM, rahul.r.ya...@oracle.com wrote:
Hello,
Request to have my fix reviewed for issues:
JDK-8239595 : ssl context version is not respected
JDK-8239594 : jdk.tls.client.protocols is not respected
The fix updates
jdk.internal.net.http.HttpClientImpl.getDefaultParams(SSLContext ctx)
to use ctx.getDefaultSSLParameters()instead of
ctx.getSupportedSSLParameters(),
as the latter does not respect the context parameters set by the user.
Issue: https://bugs.openjdk.java.net/browse/JDK-8239595
Issue: https://bugs.openjdk.java.net/browse/JDK-8239594
Webrev:
http://cr.openjdk.java.net/~jboes/rayayada/webrevs/8239595/webrev.00/
-- Rahul