Details
-
Sub-task
-
Resolution: Fixed
-
P3
-
None
-
None
-
Verified
Description
The basic approach to the client-side OCSP stapling implementation:
OCSP Stapling will be enabled by default and can be disabled through setting a system or security property. This may be done through a property like jsse.statusRequest, similar to how the SNI extension is disabled. Disabling all OCSP checking through the ocsp.enable security property will also disable this feature.
Clients will by default assert both the status_request and status_request_v2 extensions in the ClientHello handshake message. For the status_request_v2 extension, both ocsp and ocsp_multi types will be asserted.
Creation of the hello extensions will require the creation of new classes in sun.security.ssl, similar to how ServerNameIndicator, RenegotiationInfoExtension and other extensions are crafted.
In order to employ the new extensions the ClientHello class will have additional methods created that add these extensions. These methods will be called from ClientHandshaker.clientHello()
A new handshake message class in HandshakeMessage.java will need to be created to handle encoding and parsing of the CertificateStatus message.
OCSP Stapling will be enabled by default and can be disabled through setting a system or security property. This may be done through a property like jsse.statusRequest, similar to how the SNI extension is disabled. Disabling all OCSP checking through the ocsp.enable security property will also disable this feature.
Clients will by default assert both the status_request and status_request_v2 extensions in the ClientHello handshake message. For the status_request_v2 extension, both ocsp and ocsp_multi types will be asserted.
Creation of the hello extensions will require the creation of new classes in sun.security.ssl, similar to how ServerNameIndicator, RenegotiationInfoExtension and other extensions are crafted.
In order to employ the new extensions the ClientHello class will have additional methods created that add these extensions. These methods will be called from ClientHandshaker.clientHello()
A new handshake message class in HandshakeMessage.java will need to be created to handle encoding and parsing of the CertificateStatus message.