Expose TLS protocol used for connection in SecureRequestCustomizer

[joakime]

This is an enhancement request to include the TLS protocol that was used to establish the connection in the request attributes that SecureRequestCustomizer uses.

This enhancement request is for Jetty 9.2.x +

[sbordet]

I think the best way to do this is to expose the SSLSession object itself, for example under org.eclipse.jetty.servlet.request.ssl_session, from where one could get much more information than just the TLS protocol version.

[gregw]

+1 to what @sbordet said.... but make it optional. Perhaps in the style of ForwardedRequestCustomizer, have a setSslSessionAttribute(String) method that set's the name of the attribute to use. If not set, then the attribute is not set.

[joakime]

Seems a bit dangerous to expose the full SSLSession to the web applications.

Why is just exposing the TLS protocol in a new attribute undesired?

[sbordet]

Dangerous, how ?

Exposing the TLS protocol would be a non-standard addition, and then we would need to expose a bunch of other information that may be needed to web applications.

Exposing the SSLSession avoids the proliferation of non-standard attributes: we just add one rather than one for every property that SSLSession exposes.

[joakime]

If you don't know what you are doing with the SSLSession, couldn't you cause problems with your connection easily?

[sbordet]

People can always mess things up if they don't know what they're doing, e.g. call System.exit(0).

For people that needs particular, non-common, SSLSession information, looking up a non-standard attribute, I would say that if they mess up, well... but if they don't, they have all the information they want and we do this change once for all future SSLSession attributes (e.g. ALPN protocols in JDK 9).

[joakime]

Fixed in jetty-9.2.x and merged up to jetty-9.3.x