Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8023362

Don't allow soft-fail behavior if OCSP responder returns "unauthorized"

    Details

    • Subcomponent:
    • Resolved In Build:
      b108
    • Verification:
      Verified

      Description

      PKIXRevocationChecker.Option.SOFT_FAIL currently says:

               * Allow revocation check to succeed if the revocation status cannot be
               * determined for one of the following reasons:
               * <p><ul>
               * <li>The CRL or OCSP response cannot be obtained because of a
               * network error.
               * <li>The OCSP responder returns one of the following errors
               * specified in section 2.3 of RFC 2560: internalError, tryLater,
               * or unauthorized.

      unauthorized is an authoritative response from the responder and is not due to a network error or the server being unable to return a response due to an exception. This status can be returned by an OCSP responder when it doesn't know anything about the certificate, or if it is expired and it no longer maintains/returns revocation status for that certificate. If the unauthorized status is because it is expired, a fallback to CRLs may succeed because the cert is not listed on the CRL. However, it is risky to depend on that, as revoked certificates may have been pruned from the CRL after they expired.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                mullan Sean Mullan
                Reporter:
                mullan Sean Mullan
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: