Summary

DTLS has only been supported by SSLEngine in the SunJSSE provider (the SunJSSE provider) . When using DTLS, the JDK JSSE implementation should throw an exception when using SSLContext.getSocketFactory() and SSLContext.getServerSocketFactory(). There is no change to the JDK API specification.

Problem

A recent JCK 11 test run showed after the TLS 1.3 putback that the JDK JSSE implementation had previously allow more DTLS operations by SSLSocket than expected. The code changes in 1.3 were in the right direction, but they need to go a step further in denying a socket factory creation. The SunJSSE provider's DTLS implementation has never been supported this in prior releases.

Solution

A change in behavior to throw an UnsupportedOperationException from the JDK JSSE implementation of SSLContext.getServerSocketFactory() or SSLContext.getSocketFactory() if the SSLContext object is for DTLS algorithms. Each method already supports the throwing of this exception. In the case were the default SSLContext has been set to DTLS and SSL[Server]SocketFactory().getDefault() is called, the pre-existing documented failure value is returned, an inoperative factory.

Specification

When the context uses DTLS: SSLContext.getServerSocketFactory() or SSLContext.getSocketFactory() returns UnsupportedOperationException SSL[Server]SocketFactory().getDefault() returns a inoperative factory