Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8328638

Fallback option for POST-only OCSP requests

    XMLWordPrintable

Details

    Backports

      Description

        JDK-8179503 made OCSP client unconditionally use GET requests for small requests. This is explicitly allowed by RFC 5019 and RFC 6960. However, we have seen OCSP responders that -- despite RFC requirements -- are not working well with GET requests.

        There are other reports about this, strongly worded as implementation bugs (e.g. JDK-8287716, https://github.com/openjdk/jdk/commit/f5ee356540d7aa4a7663c0d5d74f5fdb0726b426#r74891389), but this is not an implementation bug per se. Rather, it a surprising behavior that is problematic for real world cases. As the example, some JDK 17 upgrades are currently blocked by this interaction of JDK 17 clients with misbehaving OCSP responders.

        So, to simplify migration, and to match the spirit of Postel's Law, it would be convenient to conditionalize JDK-8179503 with a flag, allowing users to fall back to old behavior to get over the compatibility bump while responders are being fixed up.

        Attachments

          Issue Links

            Activity

              People

                shade Aleksey Shipilev
                shade Aleksey Shipilev
                Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: