Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8328638

Fallback option for POST-only OCSP requests

XMLWordPrintable

        JDK-8179503 made OCSP client unconditionally use GET requests for small requests. This is explicitly allowed by RFC 5019 and RFC 6960. However, we have seen OCSP responders that -- despite RFC requirements -- are not working well with GET requests.

        There are other reports about this, strongly worded as implementation bugs (e.g. JDK-8287716, https://github.com/openjdk/jdk/commit/f5ee356540d7aa4a7663c0d5d74f5fdb0726b426#r74891389), but this is not an implementation bug per se. Rather, it a surprising behavior that is problematic for real world cases. As the example, some JDK 17 upgrades are currently blocked by this interaction of JDK 17 clients with misbehaving OCSP responders.

        So, to simplify migration, and to match the spirit of Postel's Law, it would be convenient to conditionalize JDK-8179503 with a flag, allowing users to fall back to old behavior to get over the compatibility bump while responders are being fixed up.

              shade Aleksey Shipilev
              shade Aleksey Shipilev
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: