Bug ID: JDK-8179503 Java should support GET OCSP calls

Type: Enhancement
Component: security-libs
Sub-Component: java.security
Affected Version: 8,9

Priority: P3
Status: Resolved
Resolution: Fixed
OS: generic
CPU: generic

Submitted: 2017-05-02
Updated: 2024-03-20
Resolved: 2020-12-31

JDK 17
17 b04Fixed

A DESCRIPTION OF THE REQUEST :
The default implementation of OCSP in java uses HTTP method POST. In the OCSP RFC 2560, there is provision for sending GET calls as well. 

Excerpt from RFC : 



   HTTP based OCSP requests can use either the GET or the POST method to
   submit their requests. To enable HTTP caching, small requests (that
   after encoding are less than 255 bytes), MAY be submitted using GET.
   If HTTP caching is not important, or the request is greater than 255
   bytes, the request SHOULD be submitted using POST.  Where privacy is
   a requirement, OCSP transactions exchanged using HTTP MAY be
   protected using either TLS/SSL or some other lower layer protocol.

   An OCSP request using the GET method is constructed as follows:

   GET {url}/{url-encoding of base-64 encoding of the DER encoding of
   the OCSPRequest}


JUSTIFICATION :
This enhancement will provide users with the ability to do OCSP GET which can be cached by CDNs resulting in lower response times


CUSTOMER SUBMITTED WORKAROUND :
Current workaround includes disabling java OCSP and implement a custom implementation of OCSP client using a security provider like Bouncy Castle.

Fix Request (11u-dev) Justification: this one is mandatory for JDK-8274471 released to 11.0.18-oracle Original patch applied with the only change src/java.base/share/classes/sun/security/provider/certpath/OCSP.java - resolved baseline conflict related to revokation checking Verification (amd64/20.04): newly added test/jdk/java/security/cert/CertPathValidator/OCSP/GetAndPostTests.java Regression (amd64/20.04): jdk_security Upd: jdk11u-fix-request tag is removed until JDK-8274471 gets reviewed
24-10-2023
[~apavlyutkin] Yes, and actually some good news on that front. It turns out that after some detailed investigation the OCSP GET issues were actually due to a poorly-behaving OCSP responder sending us truncated responses. At this point the team feels comfortable with the backport taking place. Thank you for being patient while we investigated this issue.
29-09-2023
[~jnimeh] any update?
29-09-2023
[~jnimeh] sure, thank you
08-06-2023
[~apavlyutkin] [~phh] Can we please hold off on integrating this to 8u and 11u? While the original feature went back into JDK 17 and things have been quiet for the last 2 years, there have been a couple of very recent issues raised with our OCSP GET requests and certain OCSP responders. A fix is in progress and we would like to complete this before the feature is backported to distributions that are in wider use than JDK 17 currently is.
08-06-2023
A pull request was submitted for review. URL: https://git.openjdk.org/jdk8u-dev/pull/330 Date: 2023-06-05 13:25:49 +0000
05-06-2023
A pull request was submitted for review. URL: https://git.openjdk.org/jdk11u-dev/pull/1917 Date: 2023-05-31 09:13:24 +0000
31-05-2023
Removing jdk11u-fix-no after reconsidering this and JDK-8274471, which both seem to have been backported by Oracle as well. Seems that there's also some functional justification for this.
17-05-2023
One additional justification that may be noteworthy is that HTTP GET methods for OCSP requests are a requirement for requests less than 256 bytes per RFC 5019. This RFC comes into play with OCSP in high volume environments, and is a more rigid set of requirements than the baseline rules outlined in RFC 6960. A server that rigidly enforces RFC 5019 request method requirements may reject OCSP requests for smaller sizes coming in as a POST. To be fair, I have not tested whether the larger public OCSP responders rigidly enforce this requirement or not.
06-04-2022
[11u] This is an enhancement. Together with JDK-8274471, it will change the behavior of the JVM wrt. the handling of certificates. The JVM will accept more connections. Even if this is the nature of bug fixes, it might be undesired or unexpected in the security context. Follow up problems might show up that will not appear in Oracle jdk11u. So far we tried to stay close in this matter. The current backport request does not argue well enough why this is needed in 11. No tests beyond jtreg tests were made. After all, there is jdk17u if these features are needed. For jdk11u, we think this change and JDK-8274471 are not appropriate. Labeling jdk11u-fix-no.
06-04-2022
Fix Request (11u-dev) This one is a dependency for https://bugs.openjdk.java.net/browse/JDK-8274471 (Add support for RSASSA-PSS in OCSP Response) The following changes were done to original patch src/java.base/share/classes/sun/security/provider/certpath/OCSP.java - resolved baseline conflict that took place due to absent revocation checking code Verification/regression (LTS 20.04/amd64): jdk_security
02-03-2022
A pull request was submitted for review. URL: https://git.openjdk.java.net/jdk11u-dev/pull/847 Date: 2022-03-02 11:47:30 +0000
02-03-2022
A pull request was submitted for review. URL: https://git.openjdk.java.net/jdk11u-dev/pull/788 Date: 2022-01-22 09:13:30 +0000
25-01-2022
Changeset: f5ee3565 Author: Jamil Nimeh <jnimeh@openjdk.org> Date: 2020-12-31 18:03:54 +0000 URL: https://git.openjdk.java.net/jdk/commit/f5ee3565
31-12-2020
Seems like a useful enhancement for performance reasons.
02-05-2017

Relates :	JDK-8309274 - [TEST] the tests for JDK-8179503 (GET OCSP calls support) were not backported
Relates :	JDK-8296343 - CPVE thrown on missing content-length in OCSP response
Relates :	JDK-8287716 - Wrong implementation RFC 2560 in OCSP.java
Relates :	JDK-8315979 - OCSP request throws Connection timeout occasionally
Relates :	JDK-8308255 - OSCP responses without a "Content-Length" header lead to "EOFException"
Relates :	JDK-8328638 - Fallback option for POST-only OCSP requests