Hello all, this update removes an unnecessary change in test/javax/net/ssl, adds in some additional logging, and an early exit condition from the loop if an acceptable status_request_v2 item is found (favoring OCSP_MULTI over OCSP). Also an additional test case that exercises this exit condition was added.

Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8132943/webrev.02

Thanks,

--Jamil


On 08/05/2016 09:56 PM, Jamil Nimeh wrote:
Hello all,

This fixes an issue with OCSPStatusRequest selection by the server when doing OCSP stapling. Since we currently do not support responder ID filtering, the server should not select an OCSPStatusRequest with responder IDs in it, else it could potentially return OCSP responses that the client has already stated it would not trust. This fix takes care of that. If the server cannot find an OCSPStatusRequest that is suitable (in this case, one that has an empty responder ID list) it will not do stapling for that handshake.

Bug: https://bugs.openjdk.java.net/browse/JDK-8132943
Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8132943/webrev.01

Thanks,
--Jamil

Reply via email to