RFR 8132943: ServerHandshaker may select non-empty OCSPStatusRequest structures when Responder ID selection is not supported
Jamil Nimeh
jamil.j.nimeh at oracle.com
Sat Aug 6 04:56:48 UTC 2016
Hello all,
This fixes an issue with OCSPStatusRequest selection by the server when
doing OCSP stapling. Since we currently do not support responder ID
filtering, the server should not select an OCSPStatusRequest with
responder IDs in it, else it could potentially return OCSP responses
that the client has already stated it would not trust. This fix takes
care of that. If the server cannot find an OCSPStatusRequest that is
suitable (in this case, one that has an empty responder ID list) it will
not do stapling for that handshake.
Bug: https://bugs.openjdk.java.net/browse/JDK-8132943
Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8132943/webrev.01
Thanks,
--Jamil
More information about the security-dev
mailing list