[8u] TLSv1.3 RFR: 8245473: OCSP stapling support
Martin Balao
mbalao at redhat.com
Fri Jun 12 20:56:02 UTC 2020
Hi,
When importing new 11.0.7 files to the sun/security/ssl directory (see
8245468 - Step 1), we included changes from 8046321 [1] (JEP 249 [2]) in
some of the files. 8046321 goes beyond the sun/security/ssl boundary so
we either needed to backport it fully or remove its traces from
sun/security/ssl files. Given that OSCP stappling is highly desirable
for the SunJSSE engine, we decided to backport it fully in Step 6 (8245473).
Files added, modified or deleted by 8046321 in the sun/security/ssl
directory should not require changes in Step 6 (8245473) because
file-replacement in Step 1 (8245468) already did that. These files are:
* classes/sun/security/ssl/CertStatusReqExtension.java
* classes/sun/security/ssl/CertStatusReqItemV2.java
* classes/sun/security/ssl/CertStatusReqListV2Extension.java
* classes/sun/security/ssl/ClientHandshaker.java
* classes/sun/security/ssl/ExtensionType.java
* classes/sun/security/ssl/HandshakeMessage.java
* classes/sun/security/ssl/HandshakeStateManager.java
* classes/sun/security/ssl/HelloExtensions.java
* classes/sun/security/ssl/OCSPStatusRequest.java
* classes/sun/security/ssl/SSLContextImpl.java
* Changes on this file are an exception.
'jdk.tls.client.enableStatusRequestExtension' set to 'false' by default
to minimize risks. We should turn this to 'true' in the future, once the
new TLS engine is stable in JDK-8.
* classes/sun/security/ssl/SSLSessionImpl.java
* Changes on this file are an exception. Step 6 (8245473) required a
minor change for compilation in JDK-8.
* classes/sun/security/ssl/ServerHandshaker.java
* classes/sun/security/ssl/StatusRequest.java
* classes/sun/security/ssl/StatusRequestType.java
* classes/sun/security/ssl/StatusResponseManager.java
* classes/sun/security/ssl/UnknownStatusRequest.java
* classes/sun/security/ssl/X509TrustManagerImpl.java
* Changes on this file are an exception. We cast to SSLSessionImpl
instead of ExtendedSSLSession because the public API was not modified to
include ExtendedSSLSession::getStatusResponses.
Test files (under test/*) will be handled by later steps, so we won't
consider them at this point.
The files and changes in 8046321 that need to be reviewed against Step 6
(8245473) are:
* classes/javax/net/ssl/ExtendedSSLSession.java (modified)
* We are not going to modify the JDK-8
javax.net.ssl.ExtendedSSLSession API adding a new method. OSCP stappling
will be used SunJSSE internally only (with SunJSSE's X509 Trust Manager).
* classes/sun/security/provider/certpath/OCSP.java (modified)
* Ok: no modifications needed because the file was already in JDK-8
* classes/sun/security/provider/certpath/OCSPNonceExtension.java (new)
* Ok
* classes/sun/security/provider/certpath/OCSPRequest.java (modified)
* Ok: no modifications needed because the file was already in JDK-8
* classes/sun/security/provider/certpath/OCSPResponse.java (modified)
* Ok: no modifications needed because the file was already in JDK-8
* classes/sun/security/provider/certpath/ResponderId.java (new)
* Ok: no modifications needed because the file was already in JDK-8
* classes/sun/security/validator/PKIXValidator.java (modified)
* Ok
* classes/sun/security/validator/SimpleValidator.java (modified)
* Ok
* classes/sun/security/validator/Validator.java (modified)
* Ok
* classes/sun/security/x509/PKIXExtensions.java (modified)
* Ok
Note: Step 6 (8245473) v1 does not include any other change out of the
previous set of files. This is what we expect.
Files modified in Step 6 (8245473) v0 that are not part of 8046321:
* classes/sun/security/provider/certpath/RevocationChecker.java
* Ok, this was reverted in v1 and the backport of 8161973 will be
proposed separately.
* See: https://bugs.openjdk.java.net/browse/JDK-8247276
Step 6 (8245473) v1 looks good to me.
The following comments are part of this review too: [3] [4].
We need a CSR process because new properties are being introduced as
part of this change.
Please hold-on the push to the repository until the whole series is
reviewed, CSR-approved and maintainer approved.
Thanks,
Martin.-
--
[1] - https://bugs.openjdk.java.net/browse/JDK-8046321
[2] - https://openjdk.java.net/jeps/249
[3] -
https://mail.openjdk.java.net/pipermail/jdk8u-dev/2020-June/011892.html
[4] -
https://mail.openjdk.java.net/pipermail/jdk8u-dev/2020-June/011916.html
More information about the jdk8u-dev
mailing list