RFR: 8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java OCSP response error

Rajan Halade rhalade at openjdk.java.net
Fri Jul 23 14:48:04 UTC 2021


On Fri, 23 Jul 2021 13:18:16 GMT, Sean Mullan <mullan at openjdk.org> wrote:

> Have you thought about using a cached OCSPResponse to avoid the expiration issues? You would not be testing a live OCSP network request/response, but it might be an acceptable workaround for cases like this.

For OCSP, it is possible to do backdated query and we do this when needed. The problem is some OCSP servers return UNAUTHORIZED error code after certificate expiry. We also need to update these certificates after expiry for CRL check.

-------------

PR: https://git.openjdk.java.net/jdk/pull/4877



More information about the security-dev mailing list