RFR: JEP 249 (OCSP Stapling for TLS)
Bernd Eckenfels
ecki at zusammenkunft.net
Tue Jun 23 08:17:30 UTC 2015
Hello,
this is a general comment, not necesarily applicable for the OCSP
stapling options directly:
Am Tue, 23 Jun 2015 15:39:30 +0800
schrieb Xuelei Fan <xuelei.fan at oracle.com>:
> Caches, for example session/trust manager/key manager, are used a lot
> in SSL/TLS handshaking. Dynamic system property may make the
> behavior a little bit complicated. In general, if not necessary, I
> would prefer to use static system property as what we did before for
> similar properties. Developers only need to understand one mode, as
> would simplify the learning curve, I think.
But its a huge problem when you have to interface with multiple
partners. This especially is for turning features on and off. One
server does not allow to use SNI, the other requires it. One would use
a weak DHE key when DHE is enabled, the other would not use forward
secrecy without. Some implementation fails with OCSP extensions the
other not (etc).
So a general interface for setting those parameters on the
context/sesssion/factory instead of (only) system properties would be
great.
Gruss
Bernd
More information about the security-dev
mailing list