JDK-8046299 : Define policy to enforce server certificate status checking in TLS handshaking
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P4
  • Status: Closed
  • Resolution: Not an Issue
  • Submitted: 2014-06-09
  • Updated: 2016-05-12
  • Resolved: 2016-05-12
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 9
9Resolved
Related Reports
Blocks :  
JDK-8046292 - Track NIST Special Publication 800-52
Relates :  
JDK-8046293 - Perform revocation checking of the client certificate
Relates :  
JDK-8034248 - OCSP stapling for TLS
Description
We may define a policy to reject or accept a potentially revoked or compromised server certificate in TLS handshaking.

Section 4.2.2, NIST Sp 800-52 R1:
-------------------------------------------------
The client shall perform revocation checking of the server certificate. Revocation information can be obtained by the client from one of the following locations:
1. OCSP response or responses in the server���s CertificateStatus message [RFC6066], [RFC6961].
2. Certificate Revocation List (CRL) or OCSP [RFC6960] response in the client���s local certificate store;
3. OCSP response from a locally configured OCSP responder;
4. OCSP response from the OCSP responder location identified in the OCSP field in the Authority Information Access extension in the server certificate; or
5. CRL from the CRL Distribution Point extension in the server certificate.

When the server does not provide the revocation status, the local certificate store does not have the current or a cogent CRL or OCSP response, and the OCSP Responder and the CRL Distribution Point are unavailable or inaccessible at the time of TLS session establishment, the client will either terminate the connection or accept a potentially revoked or compromised certificate. The decision to accept or reject a certificate in this situation should be made according to agency policy.
Comments
We have had options to configure revocation checking with PKIXParameters and OCSP Stapling. Not an issue any more.
12-05-2016