[security-dev 01490]: Re: OCSP Issues in JDK6

Sean Mullan Sean.Mullan at Sun.COM
Tue Jan 5 13:20:29 PST 2010

Hi Todd,

This should be fixed in OpenJDK 7. Can you test against JDK 7 to see if it works 
and I'll investigate porting the fix to OpenJDK 6?


Todd E. Johnson wrote:
> Hello,
> I posted a bug on this issue at http://bugreport.sun.com/
> The Sun provider currently ignores all but the first SingleResponse in 
> an OCSPResponse object.  This leads to an OCSP validation attempt being 
> discarded when receiving a response from an OCSP responder that provides 
> 1..n SingleRespone in a responses Sequence.
> The provider also may allow the encounter of an OCSP extension that is 
> flagged critical.  The provider currently ignores all extensions in the 
> SingleResponse object.  I believe if an extension is flagged critical, 
> and the provider is not capable of processing the extension, the 
> response MUST be discarded.
> I have created a patch to the JDK6 provider, and a piece of code to 
> provide an example pre/post patching.  It can be retrieved from:
> http://keysupport.org/code/java/Sun_Provider_OCSP_Proposed.tar.gz
> Thanks!

More information about the security-dev mailing list