A new proposal to add methods to HttpsURLConnection to access SSLSession

Xuelei Fan xuelei.fan at oracle.com
Thu Nov 1 23:42:19 UTC 2018

On 11/1/2018 11:24 AM, Sean Mullan wrote:
> On 10/31/18 11:52 AM, Chris Hegarty wrote:
>> Xuelei,
>> On 30/10/18 20:55, Xuelei Fan wrote:
>>> Hi,
>>> For the current HttpsURLConnection, there is not much security 
>>> parameters exposed in the public APIs.  An application may need 
>>> richer information for the underlying TLS connections, for example 
>>> the negotiated TLS protocol version.
>>> Please let me know if you have concerns to add a new method 
>>> HttpsURLConnection.getSSLSession() and deprecate the duplicated 
>>> methods, by the end of Nov. 2, 2018.
>>> Here is the proposal:
>>>      https://bugs.openjdk.java.net/browse/JDK-8213161
> Are there any security issues associated with returning the SSLSession, 
> since it is mutable?
It should be fine.  The update APIs of the session (invalidating, bind 
values) does not impact the connection.

> +     *           SHOULD override this method with appropriate 
> implementation.
> s/appropriate/an appropriate/
> I would probably not capitalize "SHOULD" and just say "should". "SHOULD" 
> is more common in RFCs. I don't see that much in javadocs.
> +     * @implNote The JDK Reference Implementation supports this operation.
> +     *           As an application may have to use this operation for more
> +     *           security parameters, it is recommended to support this
> +     *           operation in all implementations.
> I think it should be obvious that the JDK implementation would override 
> this method so not sure that first sentence is necessary. The other 
> sentence seems like it could be combined with the previous sentence, ex:
> "Subclasses should override this method with an appropriate 
> implementation since an application may need to access additional 
> parameters associated with the SSL session."
Updated accordingly, in the CSR and webrev:


More information about the net-dev mailing list