RFR: 8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java OCSP response error
Rajan Halade
rhalade at openjdk.java.net
Fri Jul 23 14:48:04 UTC 2021
On Fri, 23 Jul 2021 13:18:16 GMT, Sean Mullan <mullan at openjdk.org> wrote:
> Have you thought about using a cached OCSPResponse to avoid the expiration issues? You would not be testing a live OCSP network request/response, but it might be an acceptable workaround for cases like this.
For OCSP, it is possible to do backdated query and we do this when needed. The problem is some OCSP servers return UNAUTHORIZED error code after certificate expiry. We also need to update these certificates after expiry for CRL check.
-------------
PR: https://git.openjdk.java.net/jdk/pull/4877
More information about the security-dev
mailing list