Review Request of JDK Enhancement Proposal: OCSP stapling

Florian Weimer fweimer at redhat.com
Fri May 9 08:54:04 UTC 2014


On 05/06/2014 04:05 PM, Xuelei Fan wrote:
> On 5/6/2014 9:36 PM, Florian Weimer wrote:
>> On 04/02/2014 01:19 AM, Xuelei Fan wrote:
>>> Here is the updated version:
>>>     http://cr.openjdk.java.net/~xuelei/8034248/jep-csre-v01.txt
>>>
>>> Updated the description section and a few words so that it is easier to
>>> understand.
>>
>> I think the server side would benefit from an API which allows code to
>> directly supply the OCSP response to be stapled, perhaps as part of the
>> extended trust manager.
>>
> Typically, OCSP response is time-variant.  Ideally, the response should
> be retrieved and updated internally, in time and automatically.  For the
> first stage, I only want to implement the essential feature, and keep
> the footprint as small as possible.

I think we need a non-blocking way to inject the OCSP response into 
SSLEngine.

And from a deployment perspective, we really need to provide something 
that avoids making the OCSP request directly (or through an HTTP proxy). 
  Access to external resources is often quite restricted, and due to the 
way OCSP has been specified, it is rather difficult to proxy it without 
providing a generic web proxy service.

-- 
Florian Weimer / Red Hat Product Security Team


More information about the security-dev mailing list