RFR: 8296343: CPVE thrown on missing content-length in OCSP response

Jamil Nimeh jnimeh at openjdk.org
Tue Jan 10 18:45:53 UTC 2023


On Tue, 10 Jan 2023 18:32:08 GMT, Jamil Nimeh <jnimeh at openjdk.org> wrote:

>> It may be more effective/accuracy to stop read OCSP response bytes if response code is not OK.
>
> Logging the error code and returning with no read and not throwing an exception I believe would still work since the revocation information would be missing.  I'm wondering though if this needs to be a separate issue given that we're talking about a different use case, and one that involves the behavior of HttpURLConnection when dealing with different response codes.  I'll also check to see if there are existing tests that make CPV checks against URIs that have non-200 response codes.

Hmmm, I was not quite correct about the HttpURLConnection behavior - it's not the 404 that's causing the issue directly, it is indeed the getContentLength when the 404 happens.  So forget a separate issue, I will deal with non-200 codes in this PR.

-------------

PR: https://git.openjdk.org/jdk/pull/11917


More information about the security-dev mailing list