[Update]: JEP 249 (OCSP Stapling for TLS)

Xuelei Fan xuelei.fan at oracle.com
Wed Jul 1 03:52:13 UTC 2015

Minor comment:

Not necessary, but in order to indicate the initialization, better to
set statusResponses variable to null explicitly in the constructor.

line 564-569

The comment does not apply here now.  You may forgot to remove this

 570   if ((cipherSuite.keyExchange == K_KRB5) ||
 571       (cipherSuite.keyExchange == K_KRB5_EXPORT) ||
 572        statusResponses == null || statusResponses.isEmpty()) {

There are situations other than KRB5 that do not use certificate-base
authentication.  The call should take care of the situations when
setting the statusResponses value.  The statusResponses should not be
set if it does not apply.  It's enough to check statusResponses only:
       if (statusResponses == null || statusResponses.isEmpty()) {

Minor comment:

59   // The default amount of time the handshaker will wait ...
60   private static final long DEFAULT_STATUS_RESP_DELAY = 5000;

I think the unit is millisecond.  Nice to indicate the time unit.

Need to update handshake states.

 964  csMsg.write(output);
+     handshakeState.update(csMsg, resumingSession);
 965  responseMap = null;


On 6/27/2015 11:06 PM, Jamil Nimeh wrote:
> Hello all, I've posted an updated webrev based on comments I've received
> so far:
> http://cr.openjdk.java.net/~jnimeh/reviews/8046321/webrev.1
> Thanks,
> --Jamil
> On 06/18/2015 05:27 PM, Jamil Nimeh wrote:
>> Hello all,
>> I have a first cut at the OCSP stapling webrev posted for your review:
>> JEP: https://bugs.openjdk.java.net/browse/JDK-8046321
>> Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8046321/webrev.0/
>> A couple items to note:
>>   * I'm in the process of updating the JEP with some more details.  I
>>     should be done with these changes by tonight (PDT).
>>   * Missing are some of the TLS end-to-end tests.  These tests have
>>     been coded and run outside the jtreg framework, but for some
>>     reason things hang in jtreg.  I've included some of the supporting
>>     classes that these tests will use (CertificateBuilder.java and
>>     SimpleOCSPResponder.java) so folks could review those if they're
>>     interested.  I will update the webrev and notify the list as soon
>>     as I've got the tests working in jtreg.
>> Thanks to everyone who has helped along the way.
>> --Jamil

More information about the security-dev mailing list