Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8328638 Fallback option for POST-only OCSP requests
  3. JDK-8329111

Release Note: Fallback Option For POST-only OCSP Requests

    XMLWordPrintable

Details

    • Sub-task
    • Resolution: Delivered
    • P4
    • None
    • 22.0.2, 23
    • security-libs

    Backports

      Description

        JDK 17 introduced the performance improvement that made OCSP client unconditionally use GET requests for small requests, while doing POST requests for everything else. This is explicitly allowed and recommended by RFC 5019 and RFC 6960. However, we have seen OCSP responders that, despite RFC requirements, are not working well with GET requests.

        This release introduces a new JDK system property to allow fallback to POST-only behavior to unblock interaction with those OCSP responders: `-Dcom.sun.security.ocsp.useget={false,true}`. This amends the original change that introduced GET OCSP requests (JDK-8179503). The default behavior is not changed; the option defaults to `true`. Set the option to `false` to disable GET OCSP requests. Any value other than `false` (case-insensitive) defaults to `true`.

        This option is non-standard, and might go away once problematic OCSP responders get upgraded.

        Attachments

          Issue Links

            Activity

              People

                shade Aleksey Shipilev
                shade Aleksey Shipilev
                Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: