8151465: SSLSession may not return a valid chain

Reviewed-by: mullan, ahgross
2016-07-27 02:23:16 +00:00 · 2016-07-27 02:23:16 +00:00 · d109f68ebd
commit d109f68ebd
parent f82a7d2bdd
4 changed files with 22 additions and 3 deletions
--- a/jdk/src/java.base/share/classes/com/sun/net/ssl/HttpsURLConnection.java
+++ b/jdk/src/java.base/share/classes/com/sun/net/ssl/HttpsURLConnection.java
@ -69,6 +69,10 @@ class HttpsURLConnection extends HttpURLConnection
    /**
     * Returns the server's X.509 certificate chain, or null if
     * the server did not authenticate.
+     * <P>
+     * Note: The returned value may not be a valid certificate chain
+     * and should not be relied on for trust decisions.
+     *
     * @return the server certificate chain
     */
    public abstract Certificate[] getServerCertificates()
--- a/jdk/src/java.base/share/classes/javax/net/ssl/HandshakeCompletedEvent.java
+++ b/jdk/src/java.base/share/classes/javax/net/ssl/HandshakeCompletedEvent.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -120,6 +120,9 @@ public class HandshakeCompletedEvent extends EventObject
     * Note: This method can be used only when using certificate-based
     * cipher suites; using it with non-certificate-based cipher suites,
     * such as Kerberos, will throw an SSLPeerUnverifiedException.
+     * <P>
+     * Note: The returned value may not be a valid certificate chain
+     * and should not be relied on for trust decisions.
     *
     * @return an ordered array of the peer certificates,
     *          with the peer's own certificate first followed by
@ -140,6 +143,9 @@ public class HandshakeCompletedEvent extends EventObject
     * Note: This method can be used only when using certificate-based
     * cipher suites; using it with non-certificate-based cipher suites,
     * such as Kerberos, will throw an SSLPeerUnverifiedException.
+     * <P>
+     * Note: The returned value may not be a valid certificate chain
+     * and should not be relied on for trust decisions.
     *
     * <p><em>Note: this method exists for compatibility with previous
     * releases. New applications should use
--- a/jdk/src/java.base/share/classes/javax/net/ssl/HttpsURLConnection.java
+++ b/jdk/src/java.base/share/classes/javax/net/ssl/HttpsURLConnection.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2016, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -104,6 +104,9 @@ class HttpsURLConnection extends HttpURLConnection
     * Note: This method can be used only when using certificate-based
     * cipher suites; using it with non-certificate-based cipher suites,
     * such as Kerberos, will throw an SSLPeerUnverifiedException.
+     * <P>
+     * Note: The returned value may not be a valid certificate chain
+     * and should not be relied on for trust decisions.
     *
     * @return an ordered array of server certificates,
     *          with the peer's own certificate first followed by
--- a/jdk/src/java.base/share/classes/javax/net/ssl/SSLSession.java
+++ b/jdk/src/java.base/share/classes/javax/net/ssl/SSLSession.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -219,6 +219,9 @@ public interface SSLSession {
     * Note: This method can be used only when using certificate-based
     * cipher suites; using it with non-certificate-based cipher suites,
     * such as Kerberos, will throw an SSLPeerUnverifiedException.
+     * <P>
+     * Note: The returned value may not be a valid certificate chain
+     * and should not be relied on for trust decisions.
     *
     * @return an ordered array of peer certificates,
     *          with the peer's own certificate first followed by any
@ -259,6 +262,9 @@ public interface SSLSession {
     * Note: This method can be used only when using certificate-based
     * cipher suites; using it with non-certificate-based cipher suites,
     * such as Kerberos, will throw an SSLPeerUnverifiedException.
+     * <P>
+     * Note: The returned value may not be a valid certificate chain
+     * and should not be relied on for trust decisions.
     *
     * <p><em>Note: this method exists for compatibility with previous
     * releases. New applications should use