RFR: 8296343: CPVE thrown on missing content-length in OCSP response [v2]

Matthew Donovan duke at openjdk.org
Thu Jan 12 15:36:19 UTC 2023


On Thu, 12 Jan 2023 14:41:51 GMT, Jamil Nimeh <jnimeh at openjdk.org> wrote:

>> This fixes an issue where HTTP responses that do not have an explicit Content-Length are causing an EOFException which unravels into a CertPathValidatorException during validations that involve OCSP checks.
>> 
>> - JBS: https://bugs.openjdk.org/browse/JDK-8296343
>
> Jamil Nimeh has updated the pull request incrementally with two additional commits since the last revision:
> 
>  - Throw exception directly from non 200 HTTP response codes
>  - Moved SimpleOCSPServer to use CountdownLatch for ready state, updated tests

test/jdk/sun/security/provider/certpath/OCSP/OCSPNoContentLength.java line 154:

> 152: //        if (!rootOcsp.isServerReady()) {
> 153: //            throw new RuntimeException("Server not ready yet");
> 154: //        }

Lines 149-154 can be deleted

-------------

PR: https://git.openjdk.org/jdk/pull/11917



More information about the security-dev mailing list