Details
-
Bug
-
Resolution: Fixed
-
P3
-
8
-
b108
-
Verified
Description
PKIXRevocationChecker.Option.SOFT_FAIL currently says:
* Allow revocation check to succeed if the revocation status cannot be
* determined for one of the following reasons:
* <p><ul>
* <li>The CRL or OCSP response cannot be obtained because of a
* network error.
* <li>The OCSP responder returns one of the following errors
* specified in section 2.3 of RFC 2560: internalError, tryLater,
* or unauthorized.
unauthorized is an authoritative response from the responder and is not due to a network error or the server being unable to return a response due to an exception. This status can be returned by an OCSP responder when it doesn't know anything about the certificate, or if it is expired and it no longer maintains/returns revocation status for that certificate. If the unauthorized status is because it is expired, a fallback to CRLs may succeed because the cert is not listed on the CRL. However, it is risky to depend on that, as revoked certificates may have been pruned from the CRL after they expired.
* Allow revocation check to succeed if the revocation status cannot be
* determined for one of the following reasons:
* <p><ul>
* <li>The CRL or OCSP response cannot be obtained because of a
* network error.
* <li>The OCSP responder returns one of the following errors
* specified in section 2.3 of RFC 2560: internalError, tryLater,
* or unauthorized.
unauthorized is an authoritative response from the responder and is not due to a network error or the server being unable to return a response due to an exception. This status can be returned by an OCSP responder when it doesn't know anything about the certificate, or if it is expired and it no longer maintains/returns revocation status for that certificate. If the unauthorized status is because it is expired, a fallback to CRLs may succeed because the cert is not listed on the CRL. However, it is risky to depend on that, as revoked certificates may have been pruned from the CRL after they expired.
Attachments
Issue Links
- relates to
-
JDK-8010748 Add PKIXRevocationChecker NO_FALLBACK option and improve SOFT_FAIL option
- Closed