On 9/3/2014 8:47 AM, Bernd Eckenfels wrote: > Also I can understand the restriction to not require API changes I > wonder if this is a good idea. I will come back to that later, but just > a prelimiary question: will a TrustManager (or HostnameVerifier) be > able to actually see and work on the OCSP response - maybe via > getHandshakeSession()? The configuration and validation of OCSP should be delegated to PKIX cert path building and validation processes. Customized the PKIXRevocationChecker and PKIXParameters would impact the behavior of JSSE. TrustManager would also honor the PKIX configurations.
Xuelei
