RFR: 8328638: Fallback option for POST-only OCSP requests
Sean Mullan
mullan at openjdk.org
Thu Mar 21 20:28:19 UTC 2024
On Wed, 20 Mar 2024 19:48:52 GMT, Aleksey Shipilev <shade at openjdk.org> wrote:
> See the rationale/discussion in the bug. This patch introduces the option that allows to restore pre-[JDK-8179503](https://bugs.openjdk.org/browse/JDK-8179503) behavior. The default behavior does not change. Better suggestions for flag name are welcome.
>
> Additional testing:
> - [x] `jdk_security` passes out of the box (includes new test config)
> - [x] `jdk_security` passes with flag override
> - [x] Eyeballing `GetPostTests` amended debugging output, `GET`-s are used by default for small requests, `POST`-s are used for everything with flag override
Ideally, we should also modify the tests in `test/jdk/security/infra/java/security/cert/CertPathValidator/certification` to test OCSP with POST. I think it should be easy enough to add an additional line to each test like:
` * @run main/othervm/timeout=180 -Djava.security.debug=certpath -Dcom.sun.security.ocsp.useget=false ActalisCA OCSP`
This means we would be testing real OCSP responders supported by CAs in the Java Root Program, and not just a test responder that we created.
@rhalade would this change be ok with you?
-------------
PR Comment: https://git.openjdk.org/jdk/pull/18408#issuecomment-2013663116
More information about the security-dev
mailing list