8296820: Add implementation note to SSLContext.getInstance noting subsequent behavior if protocol is disabled #11172
Conversation
|
👋 Welcome back mullan! A progress list of the required criteria for merging this PR into |
|
@seanjmullan The following labels will be automatically applied to this pull request:
When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing lists. If you would like to change these labels, use the /label pull request command. |
|
@seanjmullan This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be: You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 20 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. ➡️ To integrate this PR with the above commit message to the |
|
As you are already there, it may be nice to cover more options that the protocol may not be used for the handshaking. Here are some cases I'm aware of:
|
Good point, but I feel that should be handled in a separate issue, if necessary. Also, most of those other cases above (except for #4) are influenced by additional methods subsequently invoked by the application. For this one, it may be a bit surprising for the SSLContext to be returned when the protocol is disabled (although it is still compliant with the API as specified), and then later it doesn't work, so the implementation note is useful. The JCK team requested this clarification. |
If it will be addressed in the future issue, the current specification may need to weight the impact in. Otherwise, the specification added here might need to re-work to cover more cases.
I understand the concerns. There are many cases in security components that an instance could return, but will not work in the following process if not set or configured properly. The impact of disabled properties is just one case of many. Maybe, a simple description is sufficient, "the instance may not work if not configured or set properly, for example ... ". It may be not an option to stop at SSLContext.getInstance() if the protocol is disabled rather than delay to handshaking, as an application still can have the protocol back by overriding the default security properties. BTW, the protocol for SSLContext.getInstance() method is not a TLS protocol. It is more of a context-algorithm. For example, SSLContext.getInstance("TLSv1.3") could support TLS 1.0/1.1/1.2/1.3. It may be not usual, but if TLS 1.3 is disabled, and TLS 1.2 not, the connection should be able to established with TLS 1.2. In the description, it would be nice to make it clean what the 'protocol" means in different circumstances. |
I may be wrong. The security property may be just loaded one time, and the follow-on update will not take effect. If it is the case, is it an option to stop at SSLContext.getInstance()? |
It is not specified if the property is read only once or multiple times. However, the JDK implementation reads it once and also when it creates an SSLContext, so there is no chance to modify it later. |
Which is fine. But we can still cover the behavior of
But I don't think there is general confusion over those other scenarios, so I am wary about going down that path where we feel obligated to document all possible scenarios. People using TLS should already know that a connection may not succeed for various reasons and the SSLException should provide a good reason for that. However, this one is not very visible and could be somewhat surprising. An application may want to query the
It won't work - see my other reply.
Yes, it might be useful to add something like "The returned SSLContext implements the specified protocol version, and may also implement other protocol versions." But I think it could be covered in a separate issue. The wording in this PR specifically refers to the protocol version that was specified. It isn't covering other optional protocols that may be supported. I would like to hear from others if they feel this note is useful, or if it is opening up more questions that not. |
I think it twice. It may be not necessary to invoke additional methods subsequently by the application. The impact could be configurations (security properties, key store, etc) other than
If the purpose is to make sure an SSLContext instance work later, more options may be considered. IMO, I did not see the value if we cannot make the description in a general and accuracy way. The "jdk.tls.disabledAlgorithms" is just one of many impacts. All jdk.xxx.disabledAlgorithms properties could play a role to break the connection. It may be not enough to check the "jdk.tls.disabledAlgorithms" and than can make sure an SSLContext instance will work for sure. |
I was not meant to add this kind of description. I meant that the "specified protocol" in the description is not a TLS protocol version, and hence it could not be referred as TLS protocol version.
I may be wrong. But let me check. For example, the code looks like: Per "The wording in this PR specifically refers to the protocol version that was specified", I guess "the protocol version that was specified" is "TLSv1.3". And for code like If the property looks like However, in the following description: if "the specified protocol" is referring to TLS version, it is not correct. If I get it right, the context in the example above can be used to establish connections for TLS 1.0/1.1/1.2. The description in the PR , "will fail with ...", may be not true. |
|
Mailing list message from Xuelei Fan on security-dev:
was specified. It isn't covering other optional protocols that may be Sorry, I may not make it clear. The protocol specified in Hope it helps! Xuelei |
Where in the javadoc APIs does it say that? I think the only assumption you can make is that the SSLContext that is returned supports the protocol version that was specified. Whether or not it supports other versions is completely implementation-specific AFAICT. |
The Javadoc APIs specification does not say it is referring to TLS protocol version. In the standard algorithm documentation, the word "SSLContext Algorithms" is used and here is an example:
Yes. So we cannot assume that the literal SSLContext algorithm is the only supported TLS version for an JSSE provider, including the SunJSSE provider. |
|
I plan to withdraw this PR for now. @XueleiFan you make some good points that the implementation note is too specific (there are other failure scenarios) and also that a connection may still be successfully established using other protocols if the implementation supports other protocols than what was requested. I really think that what is needed is a better class description in the javadoc of the After that we can add more information on specific implementation specific scenarios, such as what is being proposed here. |
3 participants
Please review this PR to add an implementation note to the
SSLContext.getInstancemethods to document the behavior when a protocol is disabled.Progress
Issue
Reviewers
Reviewing
Using
gitCheckout this PR locally:
$ git fetch https://git.openjdk.org/jdk pull/11172/head:pull/11172$ git checkout pull/11172Update a local copy of the PR:
$ git checkout pull/11172$ git pull https://git.openjdk.org/jdk pull/11172/headUsing Skara CLI tools
Checkout this PR locally:
$ git pr checkout 11172View PR using the GUI difftool:
$ git pr show -t 11172Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/11172.diff