Hi Eirik,
On 4/14/23 8:00 AM, Eirik Bjørsnøs wrote:
Hi,
I've been reaching out to various open source projects in an effort to
reduce the ecosystem risk of removing the javax.security.cert package,
see JDK-8227024 [1].
I contributed a patch to Tomcat, which was accepted, but not backported
to versions running on Java 11. Since Java 11 does not have the default
implementation for SSLSession.getPeerCertificateChain, any
implementation not overriding this method would give a compilation error.
We observe a similar situation in JBoss Undertow/Wildfly, where my PR to
remove javax.security.cert compiles fine under Java 17, but fails to
compile on Java 11:
SNISSLEngine.java:[211,69] error: <anonymous
io.undertow.protocols.ssl.SNISSLEngine$InitialState$1> is not
abstract and does not override abstract method
getPeerCertificateChain() in SSLSession
So I was wondering if at all it would be possible to backport the
default SSLSession.getPeerCertificateChain method to 11? It seems this
would help the ecosystem move forward in reducing the dependency on
javax.security.cert.
In order to backport that change to Java SE 11, an MR (Maintenance
Release of Java SE) would be required. See the CSR [1] for more details,
which has a scope of SE.
There is an MR for Java SE 11 that is in progress [2]. Unfortunately, it
is too late and this issue is not critical enough to justify it being
added at this point.
What would the compatibility concerns for such a backport be? Is it at
all possible? The method was deprecated in Java 9, for-removal in Java 13.
Not possible right now AFAICT, but I will keep it in mind as a candidate
API change for the next MR, if and when that may occur.
--Sean
[1] https://bugs.openjdk.org/browse/JDK-8241047
[2] https://jcp.org/en/jsr/detail?id=384
Thanks,
Eirik.
[1] https://bugs.openjdk.org/browse/JDK-8227024
<https://bugs.openjdk.org/browse/JDK-8227024>
