mirror of
https://github.com/openjdk/jdk.git
synced 2025-08-27 23:04:50 +02:00
8328638: Fallback option for POST-only OCSP requests
Reviewed-by: mullan, rhalade
This commit is contained in:
parent
d292aabf05
commit
614db2ea9e
3 changed files with 83 additions and 4 deletions
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 2009, 2023, Oracle and/or its affiliates. All rights reserved.
|
||||
* Copyright (c) 2009, 2024, Oracle and/or its affiliates. All rights reserved.
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
* This code is free software; you can redistribute it and/or modify it
|
||||
|
@ -85,6 +85,28 @@ public final class OCSP {
|
|||
private static final int READ_TIMEOUT = initializeTimeout(
|
||||
"com.sun.security.ocsp.readtimeout", DEFAULT_READ_TIMEOUT);
|
||||
|
||||
/**
|
||||
* Boolean value indicating whether OCSP client can use GET for OCSP
|
||||
* requests. There is an ambiguity in RFC recommendations.
|
||||
*
|
||||
* RFC 5019 says a stronger thing, "MUST":
|
||||
* "When sending requests that are less than or equal to 255 bytes in
|
||||
* total (after encoding) including the scheme and delimiters (http://),
|
||||
* server name and base64-encoded OCSPRequest structure, clients MUST
|
||||
* use the GET method (to enable OCSP response caching)."
|
||||
*
|
||||
* RFC 6960 says a weaker thing, "MAY":
|
||||
* "HTTP-based OCSP requests can use either the GET or the POST method to
|
||||
* submit their requests. To enable HTTP caching, small requests (that
|
||||
* after encoding are less than 255 bytes) MAY be submitted using GET."
|
||||
*
|
||||
* For performance reasons, we default to stronger behavior. But this
|
||||
* option also allows to fallback to weaker behavior in case of compatibility
|
||||
* problems.
|
||||
*/
|
||||
private static final boolean USE_GET = initializeBoolean(
|
||||
"com.sun.security.ocsp.useget", "true");
|
||||
|
||||
/**
|
||||
* Initialize the timeout length by getting the OCSP timeout
|
||||
* system property. If the property has not been set, or if its
|
||||
|
@ -99,6 +121,15 @@ public final class OCSP {
|
|||
return timeoutVal;
|
||||
}
|
||||
|
||||
private static boolean initializeBoolean(String prop, String def) {
|
||||
String flag = GetPropertyAction.privilegedGetProperty(prop, def);
|
||||
boolean value = Boolean.parseBoolean(flag);
|
||||
if (debug != null) {
|
||||
debug.println(prop + " set to " + value);
|
||||
}
|
||||
return value;
|
||||
}
|
||||
|
||||
private OCSP() {}
|
||||
|
||||
/**
|
||||
|
@ -186,7 +217,7 @@ public final class OCSP {
|
|||
encodedGetReq.append(URLEncoder.encode(
|
||||
Base64.getEncoder().encodeToString(bytes), UTF_8));
|
||||
|
||||
if (encodedGetReq.length() <= 255) {
|
||||
if (USE_GET && encodedGetReq.length() <= 255) {
|
||||
url = new URI(encodedGetReq.toString()).toURL();
|
||||
con = (HttpURLConnection)url.openConnection();
|
||||
con.setConnectTimeout(CONNECT_TIMEOUT);
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue