Hello all, this update removes an unnecessary change in
test/javax/net/ssl, adds in some additional logging, and an early exit
condition from the loop if an acceptable status_request_v2 item is found
(favoring OCSP_MULTI over OCSP). Also an additional test case that
exercises this exit condition was added.
Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8132943/webrev.02
Thanks,
--Jamil
On 08/05/2016 09:56 PM, Jamil Nimeh wrote:
Hello all,
This fixes an issue with OCSPStatusRequest selection by the server
when doing OCSP stapling. Since we currently do not support responder
ID filtering, the server should not select an OCSPStatusRequest with
responder IDs in it, else it could potentially return OCSP responses
that the client has already stated it would not trust. This fix takes
care of that. If the server cannot find an OCSPStatusRequest that is
suitable (in this case, one that has an empty responder ID list) it
will not do stapling for that handshake.
Bug: https://bugs.openjdk.java.net/browse/JDK-8132943
Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8132943/webrev.01
Thanks,
--Jamil