Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8328810

Fallback option for POST-only OCSP requests

XMLWordPrintable

    • behavioral
    • low
    • Hide
      Compatibility is risk is low, as the default behavior is not changed. We are introducing an internal JDK option that some users may start to rely on. This would make future upgrades, when we decide to remove the option, a bit harder. There might be risk of uncaught problems when flag is used, which we mitigate by extending the OCSP tests with this option as well.
      Show
      Compatibility is risk is low, as the default behavior is not changed. We are introducing an internal JDK option that some users may start to rely on. This would make future upgrades, when we decide to remove the option, a bit harder. There might be risk of uncaught problems when flag is used, which we mitigate by extending the OCSP tests with this option as well.
    • System or security property
    • JDK

      Summary

      Provide a fallback option to allow POST-only OCSP requests that allows to match the pre-JDK 17 behavior for JDK OCSP clients working with some OCSP responders.

      Problem

      JDK-8179503 made OCSP client unconditionally use GET requests for small requests. This is explicitly allowed by RFC 5019 and RFC 6960. However, we have seen OCSP responders that -- despite RFC requirements -- are not working well with GET requests. RFC recommendation is ambiguous on whether OCSP client MUST or MAY use GET, adding to confusion.

      Solution

      We introduce another flag in already existing com.sun.security.ocsp namespace: com.sun.security.ocsp.useget. The default behavior of OCSP client would not change. Setting the flag to false would prevent OCSP from using GET OCSP requests.

      We currently see this problem in JDK 17, where the original improvement to OCSP was done, and therefore this CSR is targeted for all actively maintained JDK releases starting 17.

      Specification

      Copying from the initial PR:

          /**
     * Boolean value indicating whether OCSP client can use GET for OCSP
     * requests. There is an ambiguity in RFC recommendations.
     *
     * RFC 5019 says a stronger thing, "MUST":
     *    "When sending requests that are less than or equal to 255 bytes in
     *     total (after encoding) including the scheme and delimiters (http://),
     *     server name and base64-encoded OCSPRequest structure, clients MUST
     *     use the GET method (to enable OCSP response caching)."
     *
     * RFC 6960 says a weaker thing, "MAY":
     *    "HTTP-based OCSP requests can use either the GET or the POST method to
     *     submit their requests.  To enable HTTP caching, small requests (that
     *     after encoding are less than 255 bytes) MAY be submitted using GET."
     *
     * For performance reasons, we default to stronger behavior. But this
     * option also allows to fallback to weaker behavior in case of compatibility
     * problems.
     */
    private static final boolean USE_GET = initializeBoolean(
            "com.sun.security.ocsp.useget", "true");

            shade Aleksey Shipilev
            shade Aleksey Shipilev
            Sean Mullan
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: