On Tue, 15 Nov 2022 19:12:19 GMT, Xue-Lei Andrew Fan <xue...@openjdk.org> wrote:
> > It may be not an option to stop at SSLContext.getInstance() if the protocol > > is disabled rather than delay to handshaking, as an application still can > > have the protocol back by overriding the default security properties. > > I may be wrong. The security property may be just loaded one time, and the > follow-on update will not take effect. If it is the case, is it an option to > stop at SSLContext.getInstance()? It is not specified if the property is read only once or multiple times. However, the JDK implementation reads it once and also when it creates an SSLContext, so there is no chance to modify it later. ------------- PR: https://git.openjdk.org/jdk/pull/11172
