RFR: JEP 249 (OCSP Stapling for TLS)

Thomas Lußnig openjdk at suche.org
Sun Jun 21 13:46:52 UTC 2015


Hi,

here are some comments about what i was thinking:

http://cr.openjdk.java.net/~jnimeh/reviews/8046321/webrev.0/src/java.base/share/classes/javax/net/ssl/ExtendedSSLSession.java.patch
- Why not make the parsed message available ?
  If the client wan't to check it he need to parse/implement the
handling again.
http://cr.openjdk.java.net/~jnimeh/reviews/8046321/webrev.0/src/java.base/share/classes/sun/security/ssl/ClientHandshaker.java.patch
- Why not allow to toggle each of the extensions individually ?
  I think after Heartbleed this would be an good idee
+        if (enableStatusRequestExtension) {
+            clientHelloMessage.addCertStatusReqListV2Extension();
+            clientHelloMessage.addCertStatusRequestExtension();
+        }
http://cr.openjdk.java.net/~jnimeh/reviews/8046321/webrev.0/src/java.base/share/classes/sun/security/x509/PKIXExtensions.java.patch
- Why to break the comments earlyer ?




More information about the security-dev mailing list