-
Bug
-
Resolution: Incomplete
-
P4
-
None
-
11.0.9
-
Not verified
ADDITIONAL SYSTEM INFORMATION :
linux centos , java11
A DESCRIPTION OF THE PROBLEM :
when the certificate contains two http based cdp urls. one of them reachable and the other not-reachable, the RevocationChecker.checkOCSP() checks the first http url, and when it is not reachable, it fails without checking the second url.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
in the cert specifications:
specify two https based url's for CDP .
one of them is reachable
the other is not reachable.
generate a certificate.
in the java code, enable ocsp revocation check.
during runtime you will notice that , the revocation checker code fails when the first url is uses is not reachable. java.security.cert.CertPathValidatorException: Certificate does not specify OCSP responder.
it does eve
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
RevocationChecker should check for all the URL's that are enlisted in the certificate and use the one that is reachable for OCSP check
ACTUAL -
it fails with the first url , and does not check for the other entries for crl.
2020-12-16 16:29:12,438 | ERROR | pool-12-thread-1 | | c.c.a.c.e.c.CloseableHttpClientUtils | IOException: |
java.security.cert.CertPathValidatorException: Certificate does not specify OCSP responder
at java.base/sun.security.provider.certpath.RevocationChecker.checkOCSP(RevocationChecker.java:737) ~[na:na]
at java.base/sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:362) ~[na:na]
at java.base/sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:336) ~[na:na]
at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125) ~[na:na]
... 49 common frames omitted
CUSTOMER SUBMITTED WORKAROUND :
specify only one url and make sure it is reachable i.e. connectivity exists.
linux centos , java11
A DESCRIPTION OF THE PROBLEM :
when the certificate contains two http based cdp urls. one of them reachable and the other not-reachable, the RevocationChecker.checkOCSP() checks the first http url, and when it is not reachable, it fails without checking the second url.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
in the cert specifications:
specify two https based url's for CDP .
one of them is reachable
the other is not reachable.
generate a certificate.
in the java code, enable ocsp revocation check.
during runtime you will notice that , the revocation checker code fails when the first url is uses is not reachable. java.security.cert.CertPathValidatorException: Certificate does not specify OCSP responder.
it does eve
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
RevocationChecker should check for all the URL's that are enlisted in the certificate and use the one that is reachable for OCSP check
ACTUAL -
it fails with the first url , and does not check for the other entries for crl.
2020-12-16 16:29:12,438 | ERROR | pool-12-thread-1 | | c.c.a.c.e.c.CloseableHttpClientUtils | IOException: |
java.security.cert.CertPathValidatorException: Certificate does not specify OCSP responder
at java.base/sun.security.provider.certpath.RevocationChecker.checkOCSP(RevocationChecker.java:737) ~[na:na]
at java.base/sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:362) ~[na:na]
at java.base/sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:336) ~[na:na]
at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125) ~[na:na]
... 49 common frames omitted
CUSTOMER SUBMITTED WORKAROUND :
specify only one url and make sure it is reachable i.e. connectivity exists.
- relates to
-
-
- Closed
-