JDK-8046293 : Perform revocation checking of the client certificate
- Type: Enhancement
- Component: security-libs
- Sub-Component: javax.net.ssl
- Priority: P4
- Status: Closed
- Resolution: Not an Issue
- Submitted: 2014-06-09
- Updated: 2016-05-12
- Resolved: 2016-05-12
The Version table provides details related to the release that this issue/RFE will be addressed.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
| JDK 9 |
|---|
9Resolved  |
Related Reports
|
Blocks :
|
|
|
Relates :
|
Description
We may want to support a convenient way to perform revocation checking of the client certificate in SSL/TLS handshaking. Section 3.2, NIST Sp 800-52 R1 [1]: ---------------------------------------------------- The server shall perform revocation checking of the client certificate, when client authentication is used. Revocation information shall be obtained by the server from one or more of the following locations: 1. Certificate Revocation List (CRL) or OCSP [RFC6960] response in the server���s local store; 2. OCSP response from a locally configured OCSP Responder; 3. OCSP response from the OCSP Responder location identified in the OCSP field in the Authority Information Access extension in the client certificate; or 4. CRL from the CRL Distribution Point extension in the client certificate. When the local store does not have the current or a cogent11 CRL or OCSP response, and the OCSP Responder and the CRL Distribution Point are unavailable or inaccessible at the time of TLS session establishment, the server will either deny the connection or accept a potentially revoked or compromised certificate. The decision to accept or reject a certificate in this situation should be made according to agency policy. [1]: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf
Comments
|