RFR: 8296343: CPVE thrown on missing content-length in OCSP response
Jamil Nimeh
jnimeh at openjdk.org
Tue Jan 10 18:34:54 UTC 2023
On Tue, 10 Jan 2023 18:26:50 GMT, Xue-Lei Andrew Fan <xuelei at openjdk.org> wrote:
>> Well, in the case of a 404 what appears to happen is that HttpURLConnection would throw a FileNotFoundException. That ultimately would result in a CPVE if there were no other sources of revocation information (e.g. CRL) for that certificate.
>
> It may be more effective/accuracy to stop read OCSP response bytes if response code is not OK.
Logging the error code and returning with no read and not throwing an exception I believe would still work since the revocation information would be missing. I'm wondering though if this needs to be a separate issue given that we're talking about a different use case, and one that involves the behavior of HttpURLConnection when dealing with different response codes. I'll also check to see if there are existing tests that make CPV checks against URIs that have non-200 response codes.
-------------
PR: https://git.openjdk.org/jdk/pull/11917
More information about the security-dev
mailing list