Loading...

XML

Word

Printable

Type: Enhancement
Resolution: Fixed
Priority: P4
Fix Version/s: 23
Affects Version/s: 17, 21, 22, 23
Component/s: security-libs
Labels:

Subcomponent:
javax.security
Resolved In Build:
b16

Issue	Fix Version	Assignee	Priority	Status	Resolution	Resolved In Build
JDK-8329683	22.0.2	Aleksey Shipilev	P4	Resolved	Fixed	b03
JDK-8338800	21.0.7-oracle	Nibedita Jena	P4	Resolved	Fixed	master
JDK-8329685	21.0.4	Aleksey Shipilev	P4	Resolved	Fixed	b01
JDK-8343970	17.0.15-oracle	Nibedita Jena	P4	Resolved	Fixed	master
JDK-8329798	17.0.12	Aleksey Shipilev	P4	Resolved	Fixed	b01

~~JDK-8179503~~ made OCSP client unconditionally use GET requests for small requests. This is explicitly allowed by RFC 5019 and RFC 6960. However, we have seen OCSP responders that -- despite RFC requirements -- are not working well with GET requests.

There are other reports about this, strongly worded as implementation bugs (e.g. ~~JDK-8287716~~, https://github.com/openjdk/jdk/commit/f5ee356540d7aa4a7663c0d5d74f5fdb0726b426#r74891389), but this is not an implementation bug per se. Rather, it a surprising behavior that is problematic for real world cases. As the example, some JDK 17 upgrades are currently blocked by this interaction of JDK 17 clients with misbehaving OCSP responders.

So, to simplify migration, and to match the spirit of Postel's Law, it would be convenient to conditionalize ~~JDK-8179503~~ with a flag, allowing users to fall back to old behavior to get over the compatibility bump while responders are being fixed up.

backported by

JDK-8329683 Fallback option for POST-only OCSP requests

Resolved

JDK-8329685 Fallback option for POST-only OCSP requests

Resolved

JDK-8329798 Fallback option for POST-only OCSP requests

Resolved

JDK-8338800 Fallback option for POST-only OCSP requests

Resolved

JDK-8343970 Fallback option for POST-only OCSP requests

Resolved

csr for

JDK-8328810 Fallback option for POST-only OCSP requests

Closed

duplicates

JDK-8287716 Wrong implementation RFC 2560 in OCSP.java

Closed

relates to

JDK-8329213 Better validation for com.sun.security.ocsp.useget option

Resolved

JDK-8328830 eMudhra emSign CAInterop tests fail

Closed

JDK-8179503 Java should support GET OCSP calls

Resolved

links to

Commit openjdk/jdk17u-dev/533fac61

Commit openjdk/jdk21u-dev/fbc5871c

Commit openjdk/jdk22u/8d7d8a49

Commit openjdk/jdk/614db2ea

Review openjdk/jdk17u-dev/2338

Review openjdk/jdk21u-dev/413

Review openjdk/jdk22u/121

Review openjdk/jdk/18408

(1 csr for, 1 duplicates, 3 relates to, 8 links to)

There are no Sub-Tasks for this issue.

Assignee:: Aleksey Shipilev

Reporter:: Aleksey Shipilev

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2024-03-20 12:24

Updated:: 2 days ago 00:11

Resolved:: 2024-03-27 07:46

Details

Backports

Description

Attachments

Issue Links

Sub-Tasks

Activity

People

Dates