Review Request of JDK Enhancement Proposal: OCSP stapling

Xuelei Fan xuelei.fan at oracle.com
Fri May 9 12:25:55 UTC 2014


On 5/9/2014 4:54 PM, Florian Weimer wrote:
> On 05/06/2014 04:05 PM, Xuelei Fan wrote:
>> On 5/6/2014 9:36 PM, Florian Weimer wrote:
>>> On 04/02/2014 01:19 AM, Xuelei Fan wrote:
>>>> Here is the updated version:
>>>>     http://cr.openjdk.java.net/~xuelei/8034248/jep-csre-v01.txt
>>>>
>>>> Updated the description section and a few words so that it is easier to
>>>> understand.
>>>
>>> I think the server side would benefit from an API which allows code to
>>> directly supply the OCSP response to be stapled, perhaps as part of the
>>> extended trust manager.
>>>
>> Typically, OCSP response is time-variant.  Ideally, the response should
>> be retrieved and updated internally, in time and automatically.  For the
>> first stage, I only want to implement the essential feature, and keep
>> the footprint as small as possible.
> 
> I think we need a non-blocking way to inject the OCSP response into
> SSLEngine.
> 
Yes. The delegated task can be used to get the OCSP response.

> And from a deployment perspective, we really need to provide something
> that avoids making the OCSP request directly (or through an HTTP proxy).
>  Access to external resources is often quite restricted, and due to the
> way OCSP has been specified, it is rather difficult to proxy it without
> providing a generic web proxy service.
> 
Really good point!  In SunJSSE provider, the PKIXRevocationChecker can
be used to get the OCSP response.  However, this cannot apply to
customized key/trust manager.  I will consider to add new APIs to allow
the supply of OCSp response, probably in key manager, in this JEP or an
additional small enhancement later.

Thanks,
Xuelei


More information about the security-dev mailing list