[security-dev 01490]: Re: OCSP Issues in JDK6
Sean Mullan
Sean.Mullan at Sun.COM
Tue Jan 5 21:20:29 UTC 2010
Hi Todd,
This should be fixed in OpenJDK 7. Can you test against JDK 7 to see if it works
and I'll investigate porting the fix to OpenJDK 6?
--Sean
Todd E. Johnson wrote:
> Hello,
>
> I posted a bug on this issue at http://bugreport.sun.com/
>
> The Sun provider currently ignores all but the first SingleResponse in
> an OCSPResponse object. This leads to an OCSP validation attempt being
> discarded when receiving a response from an OCSP responder that provides
> 1..n SingleRespone in a responses Sequence.
>
> The provider also may allow the encounter of an OCSP extension that is
> flagged critical. The provider currently ignores all extensions in the
> SingleResponse object. I believe if an extension is flagged critical,
> and the provider is not capable of processing the extension, the
> response MUST be discarded.
>
> I have created a patch to the JDK6 provider, and a piece of code to
> provide an example pre/post patching. It can be retrieved from:
>
> http://keysupport.org/code/java/Sun_Provider_OCSP_Proposed.tar.gz
>
> Thanks!
>
More information about the security-dev
mailing list