RFR [13] JDK-4919790 : Errors in alert ssl message does not reflect the actual certificate status
Xuelei Fan
xuelei.fan at oracle.com
Thu Feb 14 19:38:34 UTC 2019
On 2/14/2019 10:24 AM, Sean Mullan wrote:
> On 2/11/19 2:32 PM, Xuelei Fan wrote:
>> Hi,
>>
>> Could I get the update reviewed?
>> http://cr.openjdk.java.net/~xuelei/4919790/webrev.00/
>
> 721 alert = Alert.UNSUPPORTED_CERTIFCATE;
>
> Can we fix this typo while we are cleaning this up?
> s/CERTIFCATE/CERTIFICATE/
>
Good catch! Here is the updated webrev:
http://cr.openjdk.java.net/~xuelei/4919790/webrev.01/
> Also, I was a bit curious about these lines (not part of your fix):
>
> 711 if (reason == BasicReason.REVOKED) {
> 712 alert = chc.staplingActive ?
> 713 Alert.BAD_CERT_STATUS_RESPONSE :
> 714 Alert.CERTIFICATE_REVOKED;
>
> If a certificate is revoked, why would you set the alert status to
> BAD_CERT_STATUS_RESPONSE if stapling is enabled?
>
See Jamil's reply. The spec is a little bit wired to me although.
Note that the new added items are not controlled by OCSP stapling, so we
can use the original reason.
> Also, bug needs a noreg label.
>
Added.
Thanks,
Xuelei
> --Sean
>
>> It had been a while that the SunJSSE provider use certificate_unknown
>> or certificate_revoked (or bad_certificate_status_response for OCSP
>> stapling) as the certificate issues alert. Other certificate alert
>> like certificate_expired are not used.
>>
>> The bug was reported in JDK 6. With the introducing of
>> CertPathValidatorException.BasicReason in JDK 7. Now we can handle the
>> alert more accuracy.
>>
>> Note: please don't rely on the certificate alert type for application
>> development. The alert type may be changed and different per the
>> provider preference.
>>
>> No new regression test as the update is simple and straightforward.
>>
>> Thanks,
>> Xuelei
More information about the security-dev
mailing list