RFR [13] JDK-4919790 : Errors in alert ssl message does not reflect the actual certificate status

Xuelei Fan xuelei.fan at oracle.com
Mon Feb 11 19:32:29 UTC 2019


Hi,

Could I get the update reviewed?
    http://cr.openjdk.java.net/~xuelei/4919790/webrev.00/

It had been a while that the SunJSSE provider use certificate_unknown or 
certificate_revoked (or bad_certificate_status_response for OCSP 
stapling) as the certificate issues alert.  Other certificate alert like 
certificate_expired are not used.

The bug was reported in JDK 6.  With the introducing of 
CertPathValidatorException.BasicReason in JDK 7. Now we can handle the 
alert more accuracy.

Note: please don't rely on the certificate alert type for application 
development.  The alert type may be changed and different per the 
provider preference.

No new regression test as the update is simple and straightforward.

Thanks,
Xuelei


More information about the security-dev mailing list