RFR: JEP 249 (OCSP Stapling for TLS)

Jamil Nimeh jamil.j.nimeh at oracle.com
Fri Jun 26 16:58:03 UTC 2015

On 06/24/2015 09:32 PM, Xuelei Fan wrote:
> src/java.base/share/classes/sun/security/ssl/X509TrustManagerImpl.java
> ======================================================================
> A key/trust manager would better to be immutable.
> private final ThreadLocal<Validator> clientValidator ...
> private final ThreadLocal<Validator> serverValidator ...
> ThreadLocal does not work here for some circumstance.  In AIO
> programming, multiple connections may share the same thread.  Better to
> keep key/trust manager and validator immutable.
> I think, using the status as a validate() method parameter, rather than
> update the validator status should work.
Sorry for taking a bit to respond.  I had to look a little deeper into 
Validator and PKIXValidator, but I understand now where you're going 
with this.  It does seem like a good way to keep things sane both in the 
multi-threaded and single-thread AIO schemes.  I'll get this coded up 
and issue a new webrev with all the comments up to now.
> Xuelei
> On 6/19/2015 8:27 AM, Jamil Nimeh wrote:
>> Hello all,
>> I have a first cut at the OCSP stapling webrev posted for your review:
>> JEP: https://bugs.openjdk.java.net/browse/JDK-8046321
>> Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8046321/webrev.0/
>> A couple items to note:
>>    * I'm in the process of updating the JEP with some more details.  I
>>      should be done with these changes by tonight (PDT).
>>    * Missing are some of the TLS end-to-end tests.  These tests have been
>>      coded and run outside the jtreg framework, but for some reason
>>      things hang in jtreg.  I've included some of the supporting classes
>>      that these tests will use (CertificateBuilder.java and
>>      SimpleOCSPResponder.java) so folks could review those if they're
>>      interested.  I will update the webrev and notify the list as soon as
>>      I've got the tests working in jtreg.
>> Thanks to everyone who has helped along the way.
>> --Jamil

More information about the security-dev mailing list