RFR: JEP 249 (OCSP Stapling for TLS)
Xuelei Fan
xuelei.fan at oracle.com
Tue Jun 23 08:34:36 UTC 2015
On 6/23/2015 4:17 PM, Bernd Eckenfels wrote:
> Hello,
>
> this is a general comment, not necesarily applicable for the OCSP
> stapling options directly:
>
> Am Tue, 23 Jun 2015 15:39:30 +0800
> schrieb Xuelei Fan <xuelei.fan at oracle.com>:
>
>> Caches, for example session/trust manager/key manager, are used a lot
>> in SSL/TLS handshaking. Dynamic system property may make the
>> behavior a little bit complicated. In general, if not necessary, I
>> would prefer to use static system property as what we did before for
>> similar properties. Developers only need to understand one mode, as
>> would simplify the learning curve, I think.
>
> But its a huge problem when you have to interface with multiple
> partners. This especially is for turning features on and off. One
> server does not allow to use SNI, the other requires it. One would use
> a weak DHE key when DHE is enabled, the other would not use forward
> secrecy without. Some implementation fails with OCSP extensions the
> other not (etc).
>
> So a general interface for setting those parameters on the
> context/sesssion/factory instead of (only) system properties would be
> great.
>
Yes. System properties should not be the preferable approach. API
level methods are needed. May address in a separated bug in the near
future.
Thanks,
Xuelei
More information about the security-dev
mailing list