JDK-8328638 : Fallback option for POST-only OCSP requests
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: javax.security
  • Affected Version: 17,21,22,23
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2024-03-20
  • Updated: 2025-01-08
  • Resolved: 2024-03-27
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 17 JDK 21 JDK 22 JDK 23
17.0.12Fixed 21.0.4Fixed 22.0.2Fixed 23 b16Fixed
Related Reports
CSR :  
JDK-8328810 - Fallback option for POST-only OCSP requests
Duplicate :  
JDK-8287716 - Wrong implementation RFC 2560 in OCSP.java
Relates :  
JDK-8329213 - Better validation for com.sun.security.ocsp.useget option
Relates :  
JDK-8179503 - Java should support GET OCSP calls
Relates :  
JDK-8328830 - eMudhra emSign CAInterop tests fail
Sub Tasks
JDK-8329111 :  
Release Note: Fallback Option For POST-only OCSP Requests - Resolved
Description
JDK-8179503 made OCSP client unconditionally use GET requests for small requests. This is explicitly allowed by RFC 5019 and RFC 6960. However, we have seen OCSP responders that -- despite RFC requirements -- are not working well with GET requests. 

There are other reports about this, strongly worded as implementation bugs (e.g. JDK-8287716, https://github.com/openjdk/jdk/commit/f5ee356540d7aa4a7663c0d5d74f5fdb0726b426#r74891389), but this is not an implementation bug per se. Rather, it a surprising behavior that is problematic for real world cases. As the example, some JDK 17 upgrades are currently blocked by this interaction of JDK 17 clients with misbehaving OCSP responders.

So, to simplify migration, and to match the spirit of Postel's Law, it would be convenient to conditionalize JDK-8179503 with a flag, allowing users to fall back to old behavior to get over the compatibility bump while responders are being fixed up.
Comments
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk/pull/18408 Date: 2024-03-20 19:48:52 +0000
08-01-2025
[jdk22u-fix-request] Approval Request from Aleksey Shipilëv Improves JDK OCSP compatibility with some real world OCSP responders. Starts to be a problem since JDK 17 introduced GET OCSP requests. Risk is medium-low, as default behavior is not changed, and the code is simple. Passes full jdk_security tests.
02-04-2024
A pull request was submitted for review. URL: https://git.openjdk.org/jdk22u/pull/121 Date: 2024-04-02 20:33:02 +0000
02-04-2024
[jdk17u-fix-request] Approval Request from Aleksey Shipilëv Improves JDK OCSP compatibility with some real world OCSP responders. Starts to be a problem since JDK 17 introduced GET OCSP requests. Risk is medium-low, as default behavior is not changed, and the code is simple. Passes full jdk_security tests, eyeballed logs show the expected behavior.
02-04-2024
[jdk21u-fix-request] Approval Request from Aleksey Shipilëv Improves JDK OCSP compatibility with some real world OCSP responders. Starts to be a problem since JDK 17 introduced GET OCSP requests. Risk is medium-low, as default behavior is not changed, and the code is simple. Passes full jdk_security tests, eyeballed logs show the expected behavior.
02-04-2024
A pull request was submitted for review. URL: https://git.openjdk.org/jdk21u-dev/pull/413 Date: 2024-03-27 15:28:36 +0000
02-04-2024
A pull request was submitted for review. URL: https://git.openjdk.org/jdk17u-dev/pull/2338 Date: 2024-03-27 15:45:47 +0000
02-04-2024
Changeset: 614db2ea Author: Aleksey Shipilev <shade@openjdk.org> Date: 2024-03-27 14:44:50 +0000 URL: https://git.openjdk.org/jdk/commit/614db2ea9e10346475eef34629eab54878aa482d
27-03-2024