RFR: 8296343: CPVE thrown on missing content-length in OCSP response [v2]

Jamil Nimeh jnimeh at openjdk.org
Thu Jan 12 14:41:51 UTC 2023


> This fixes an issue where HTTP responses that do not have an explicit Content-Length are causing an EOFException which unravels into a CertPathValidatorException during validations that involve OCSP checks.
> 
> - JBS: https://bugs.openjdk.org/browse/JDK-8296343

Jamil Nimeh has updated the pull request incrementally with two additional commits since the last revision:

 - Throw exception directly from non 200 HTTP response codes
 - Moved SimpleOCSPServer to use CountdownLatch for ready state, updated tests

-------------

Changes:
  - all: https://git.openjdk.org/jdk/pull/11917/files
  - new: https://git.openjdk.org/jdk/pull/11917/files/16a60c85..36a0911c

Webrevs:
 - full: https://webrevs.openjdk.org/?repo=jdk&pr=11917&range=01
 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=11917&range=00-01

  Stats: 151 lines in 9 files changed: 28 ins; 38 del; 85 mod
  Patch: https://git.openjdk.org/jdk/pull/11917.diff
  Fetch: git fetch https://git.openjdk.org/jdk pull/11917/head:pull/11917

PR: https://git.openjdk.org/jdk/pull/11917



More information about the security-dev mailing list