Details
-
Sub-task
-
Resolution: Delivered
-
P4
-
None
-
22.0.2, 23
Backports
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8329863 | 22.0.2 | Marc Palmerjohnson | P4 | Resolved | Delivered |
Description
JDK 17 introduced the performance improvement that made OCSP client unconditionally use GET requests for small requests, while doing POST requests for everything else. This is explicitly allowed and recommended by RFC 5019 and RFC 6960. However, we have seen OCSP responders that, despite RFC requirements, are not working well with GET requests.
This release introduces a new JDK system property to allow fallback to POST-only behavior to unblock interaction with those OCSP responders: `-Dcom.sun.security.ocsp.useget={false,true}`. This amends the original change that introduced GET OCSP requests (JDK-8179503). The default behavior is not changed; the option defaults to `true`. Set the option to `false` to disable GET OCSP requests. Any value other than `false` (case-insensitive) defaults to `true`.
This option is non-standard, and might go away once problematic OCSP responders get upgraded.
This release introduces a new JDK system property to allow fallback to POST-only behavior to unblock interaction with those OCSP responders: `-Dcom.sun.security.ocsp.useget={false,true}`. This amends the original change that introduced GET OCSP requests (
This option is non-standard, and might go away once problematic OCSP responders get upgraded.
Attachments
Issue Links
- backported by
-
JDK-8329863 Release Note: Fallback Option For POST-only OCSP Requests
-
- Resolved
-