RFR [13] JDK-4919790 : Errors in alert ssl message does not reflect the actual certificate status
Sean Mullan
sean.mullan at oracle.com
Thu Feb 14 18:24:09 UTC 2019
On 2/11/19 2:32 PM, Xuelei Fan wrote:
> Hi,
>
> Could I get the update reviewed?
> http://cr.openjdk.java.net/~xuelei/4919790/webrev.00/
721 alert = Alert.UNSUPPORTED_CERTIFCATE;
Can we fix this typo while we are cleaning this up?
s/CERTIFCATE/CERTIFICATE/
Also, I was a bit curious about these lines (not part of your fix):
711 if (reason == BasicReason.REVOKED) {
712 alert = chc.staplingActive ?
713 Alert.BAD_CERT_STATUS_RESPONSE :
714 Alert.CERTIFICATE_REVOKED;
If a certificate is revoked, why would you set the alert status to
BAD_CERT_STATUS_RESPONSE if stapling is enabled?
Also, bug needs a noreg label.
--Sean
> It had been a while that the SunJSSE provider use certificate_unknown or
> certificate_revoked (or bad_certificate_status_response for OCSP
> stapling) as the certificate issues alert. Other certificate alert like
> certificate_expired are not used.
>
> The bug was reported in JDK 6. With the introducing of
> CertPathValidatorException.BasicReason in JDK 7. Now we can handle the
> alert more accuracy.
>
> Note: please don't rely on the certificate alert type for application
> development. The alert type may be changed and different per the
> provider preference.
>
> No new regression test as the update is simple and straightforward.
>
> Thanks,
> Xuelei
More information about the security-dev
mailing list