[Update] RFR 8132943: ServerHandshaker may select non-empty OCSPStatusRequest structures when Responder ID selection is not supported
Xuelei Fan
xuelei.fan at oracle.com
Tue Aug 9 23:29:09 UTC 2016
Looks fine to me.
Thanks,
Xuelei
On 8/9/2016 5:50 AM, Jamil Nimeh wrote:
> Hello all, this update removes an unnecessary change in
> test/javax/net/ssl, adds in some additional logging, and an early exit
> condition from the loop if an acceptable status_request_v2 item is found
> (favoring OCSP_MULTI over OCSP). Also an additional test case that
> exercises this exit condition was added.
>
> Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8132943/webrev.02
>
> Thanks,
>
> --Jamil
>
>
> On 08/05/2016 09:56 PM, Jamil Nimeh wrote:
>> Hello all,
>>
>> This fixes an issue with OCSPStatusRequest selection by the server
>> when doing OCSP stapling. Since we currently do not support responder
>> ID filtering, the server should not select an OCSPStatusRequest with
>> responder IDs in it, else it could potentially return OCSP responses
>> that the client has already stated it would not trust. This fix takes
>> care of that. If the server cannot find an OCSPStatusRequest that is
>> suitable (in this case, one that has an empty responder ID list) it
>> will not do stapling for that handshake.
>>
>> Bug: https://bugs.openjdk.java.net/browse/JDK-8132943
>> Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8132943/webrev.01
>>
>> Thanks,
>> --Jamil
>
More information about the security-dev
mailing list