RFR: 8179503: Java should support GET OCSP calls [v2]

Jamil Nimeh jnimeh at openjdk.java.net
Thu Dec 31 05:24:06 UTC 2020 

On Thu, 31 Dec 2020 04:58:50 GMT, Xue-Lei Andrew Fan <xuelei at openjdk.org> wrote:

>> Jamil Nimeh has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains four additional commits since the last revision:
>> 
>>  - Merge
>>  - Change IO to use readExactlyNBytes method
>>  - Merge
>>  - 8179503: Java should support GET OCSP calls
>
> src/java.base/share/classes/sun/security/provider/certpath/OCSP.java line 240:
> 
>> 238:                         encodeToString(bytes), "UTF-8");
>> 239: 
>> 240:         if (encodedGetReq.length() <= 255) {
> 
> If the request less than 256, the GET method will be used.  RFC 6960 declare this as a "MAY" feature ("To enable HTTP caching, small requests ... MAY be submitted using GET").  Although RFC 5019 declare it as a "MUST" feature  ("When sending requests that are less than or equal to 255 bytes ... clients MUST use the GET method"), but RFC 5109 is released before RFC 6960.  I'm not very sure if there is interop issues that a server may not accept the "Get" method for some reasons.  I don't worry about it too much, but just for sure you have considered the cases.

I've tried the GET code with various public OCSP responders as well as a few things like OpenSSL's ocsp command (1.1.1d) and Dogtag 10.  There is the potential for some compatibility issues, but I think it's pretty small.  For instance, OpenSSL's 1.0.2 and earlier's ocsp command running in daemon mode does not accept GET requests at all.  But with 1.1.0 and onward, GET is fully supported.  I don't think that specifically would be an issue in any large scale deployment - I doubt those large-scale implementations use something like openssl ocsp.  There are some clients like the OCSP stapling subsystem in Nginx that will use GETs for small requests also, so I would hope that server-side support would be pretty widespread by now (HTTP GET was even in RFC 2560).

-------------

PR: https://git.openjdk.java.net/jdk/pull/1760

More information about the security-dev mailing list