RFR: JEP 249 (OCSP Stapling for TLS)
Jamil Nimeh
jamil.j.nimeh at oracle.com
Fri Jun 26 16:58:03 UTC 2015
On 06/24/2015 09:32 PM, Xuelei Fan wrote:
> src/java.base/share/classes/sun/security/ssl/X509TrustManagerImpl.java
> ======================================================================
>
> A key/trust manager would better to be immutable.
>
> private final ThreadLocal<Validator> clientValidator ...
> private final ThreadLocal<Validator> serverValidator ...
>
> ThreadLocal does not work here for some circumstance. In AIO
> programming, multiple connections may share the same thread. Better to
> keep key/trust manager and validator immutable.
>
> I think, using the status as a validate() method parameter, rather than
> update the validator status should work.
Sorry for taking a bit to respond. I had to look a little deeper into
Validator and PKIXValidator, but I understand now where you're going
with this. It does seem like a good way to keep things sane both in the
multi-threaded and single-thread AIO schemes. I'll get this coded up
and issue a new webrev with all the comments up to now.
>
> Xuelei
>
>
> On 6/19/2015 8:27 AM, Jamil Nimeh wrote:
>> Hello all,
>>
>> I have a first cut at the OCSP stapling webrev posted for your review:
>>
>> JEP: https://bugs.openjdk.java.net/browse/JDK-8046321
>> Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8046321/webrev.0/
>>
>> A couple items to note:
>>
>> * I'm in the process of updating the JEP with some more details. I
>> should be done with these changes by tonight (PDT).
>> * Missing are some of the TLS end-to-end tests. These tests have been
>> coded and run outside the jtreg framework, but for some reason
>> things hang in jtreg. I've included some of the supporting classes
>> that these tests will use (CertificateBuilder.java and
>> SimpleOCSPResponder.java) so folks could review those if they're
>> interested. I will update the webrev and notify the list as soon as
>> I've got the tests working in jtreg.
>>
>> Thanks to everyone who has helped along the way.
>>
>> --Jamil
>>
>>
More information about the security-dev
mailing list