Hello First I hope this is the right mailing list. Second, I realize I'm late to the party and this ship may already have sailed.
We're using a third party library from a vendor that calls SSLSession.getPeerCertificateChain() [1]. The vendor is unlikely to ship a JDK 17 compatible version of this library this decade. I was wondering if any consideration was given to implementing #getPeerCertificateChain by calling #getPeerCertificates [2] and implementing javax.security.cert.X509Certificate by delegating to java.security.cert.X509Certificate [3]. I believe this would preserve source, binary and behavior compatibility while at the same time freeing implementations from having to deal with javax.security.cert types or #getPeerCertificateChain. The third party library we use does support configuring a custom SSLSocketFactory and we'll likely go with a custom SSLSocketFactory. [1] https://bugs.openjdk.java.net/browse/JDK-8241047 [2] https://github.com/marschall/legacy-compatibility-ssl-socket-factory/blob/master/src/main/java/com/github/marschall/legacycompatibilitysslsocketfactory/LegacyCompatibilitySSLSession.java#L86 [3] https://github.com/marschall/legacy-compatibility-ssl-socket-factory/blob/master/src/main/java/com/github/marschall/legacycompatibilitysslsocketfactory/CertificateAdapter.java Cheers Philippe
