RFR: JEP 249 (OCSP Stapling for TLS)
Xuelei Fan
xuelei.fan at oracle.com
Thu Jun 25 04:32:43 UTC 2015
src/java.base/share/classes/sun/security/ssl/X509TrustManagerImpl.java
======================================================================
A key/trust manager would better to be immutable.
private final ThreadLocal<Validator> clientValidator ...
private final ThreadLocal<Validator> serverValidator ...
ThreadLocal does not work here for some circumstance. In AIO
programming, multiple connections may share the same thread. Better to
keep key/trust manager and validator immutable.
I think, using the status as a validate() method parameter, rather than
update the validator status should work.
Xuelei
On 6/19/2015 8:27 AM, Jamil Nimeh wrote:
> Hello all,
>
> I have a first cut at the OCSP stapling webrev posted for your review:
>
> JEP: https://bugs.openjdk.java.net/browse/JDK-8046321
> Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8046321/webrev.0/
>
> A couple items to note:
>
> * I'm in the process of updating the JEP with some more details. I
> should be done with these changes by tonight (PDT).
> * Missing are some of the TLS end-to-end tests. These tests have been
> coded and run outside the jtreg framework, but for some reason
> things hang in jtreg. I've included some of the supporting classes
> that these tests will use (CertificateBuilder.java and
> SimpleOCSPResponder.java) so folks could review those if they're
> interested. I will update the webrev and notify the list as soon as
> I've got the tests working in jtreg.
>
> Thanks to everyone who has helped along the way.
>
> --Jamil
>
>
More information about the security-dev
mailing list