RFR [13] JDK-4919790 : Errors in alert ssl message does not reflect the actual certificate status
Xuelei Fan
xuelei.fan at oracle.com
Mon Feb 11 19:32:29 UTC 2019
Hi,
Could I get the update reviewed?
http://cr.openjdk.java.net/~xuelei/4919790/webrev.00/
It had been a while that the SunJSSE provider use certificate_unknown or
certificate_revoked (or bad_certificate_status_response for OCSP
stapling) as the certificate issues alert. Other certificate alert like
certificate_expired are not used.
The bug was reported in JDK 6. With the introducing of
CertPathValidatorException.BasicReason in JDK 7. Now we can handle the
alert more accuracy.
Note: please don't rely on the certificate alert type for application
development. The alert type may be changed and different per the
provider preference.
No new regression test as the update is simple and straightforward.
Thanks,
Xuelei
More information about the security-dev
mailing list