[Update] RFR 8132943: ServerHandshaker may select non-empty OCSPStatusRequest structures when Responder ID selection is not supported
Jamil Nimeh
jamil.j.nimeh at oracle.com
Mon Aug 8 21:50:52 UTC 2016
Hello all, this update removes an unnecessary change in
test/javax/net/ssl, adds in some additional logging, and an early exit
condition from the loop if an acceptable status_request_v2 item is found
(favoring OCSP_MULTI over OCSP). Also an additional test case that
exercises this exit condition was added.
Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8132943/webrev.02
Thanks,
--Jamil
On 08/05/2016 09:56 PM, Jamil Nimeh wrote:
> Hello all,
>
> This fixes an issue with OCSPStatusRequest selection by the server
> when doing OCSP stapling. Since we currently do not support responder
> ID filtering, the server should not select an OCSPStatusRequest with
> responder IDs in it, else it could potentially return OCSP responses
> that the client has already stated it would not trust. This fix takes
> care of that. If the server cannot find an OCSPStatusRequest that is
> suitable (in this case, one that has an empty responder ID list) it
> will not do stapling for that handshake.
>
> Bug: https://bugs.openjdk.java.net/browse/JDK-8132943
> Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8132943/webrev.01
>
> Thanks,
> --Jamil
More information about the security-dev
mailing list