Thank you Xuelei, this very helpful. Sorry, but I am going to ask just a few more clarifying questions to make sure that we’re on the same page.
> On 27 Mar 2020, at 16:23, Xuelei Fan <xuelei....@oracle.com> wrote: > > On 3/27/2020 5:52 AM, Chris Hegarty wrote: >> Xuelei, >> Before commenting further on the interaction of the HTTP Client with various >> contorted configurations, I would like to get a better understanding of the >> `jdk.tls.client.protocols` property. >> Is there a specification or other documentation describing >> `jdk.tls.client.protocols` ? > See the jdk.tls.client.protocols line in table 'Table 8-3 System Properties > and Customized Items" in JSSE Reference Guides: > > "https://docs.oracle.com/en/java/javase/14/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-A41282C3-19A3-400A-A40F-86F4DA22ABA9 > > For your quick reference, I copied the note here: > > --------------- > Customized Item: > Default handshaking protocols for TLS/DTLS clients. > > Notes: > To enable specific SunJSSE protocols on the client, specify them in a > comma-separated list within quotation marks; all other supported protocols > are not enabled on the client “supported” here means protocols that are supported by the provider, and may be used within a specific context. This translates, for the default SSLContext, to the API call getSupportedSSLParameters().getProtocols(), right? getSupportedSSLParameters().getProtocols() returns a superset of getDefaultSSLParameters().getProtocols(). Conversely, getDefaultSSLParameters().getProtocols() is a strict subset of getSupportedSSLParameters().getProtocols(), right? The `jdk.tls.client.protocols` property has no affect on getSupportedSSLParameters().getProtocols() only getDefaultSSLParameters().getProtocols(), right? In which case, getDefaultSSLParameters().getProtocols() returns the value of `jdk.tls.client.protocols`. > For example, > > If jdk.tls.client.protocols="TLSv1,TLSv1.1", then the default protocol > settings on the client for TLSv1 and TLSv1.1 are enabled, while SSLv3, > TLSv1.2, TLSv1.3, and SSLv2Hello are not enabled > > If jdk.tls.client.protocols="DTLSv1.2" , then the protocol setting on the > client for DTLS1.2 is enabled, while DTLS1.0 is not enabled > --------------- Seems that the term “client” here is referring to client-initiated exchanges, rather than any specific technology. The assumption, which is reasonable, is that “clients” will use the default context. Again, this is reasonable default out-of-the-box behavior. >> It is my understanding that the property only affects the *default* >> protocol’s ( not the supported protocols ) of the *default* context. That >> is, the context returned by `SSLContext.getInstance("Default”)`, > It is correct that the property impact the default SSLContext only. The > default SSLContext instance could get from: > SSLContext.getInstance("Default"); > SSLContext.getInstance("TLS"); > SSLContext.getInstance("DTLS”); Thanks for this clarification. > >> and the protocol values returned by the following invocation on that context >> `getDefaultSSLParameters().getProtocols()`. Is this correct? If not, what >> does it do? > Yes. Thanks, -Chris.
