JDK-8329111 : Release Note: Fallback Option for POST-only OCSP Requests
  • Type: Sub-task
  • Component: security-libs
  • Sub-Component: javax.security
  • Affected Version:
    8u451-perf,17.0.15-oracle,21.0.7-oracle,22.0.2,23 8u451-perf,17.0.15-oracle,21.0.7-oracle,22.0.2,23
  • Priority: P4
  • Status: Resolved
  • Resolution: Delivered
  • Submitted: 2024-03-26
  • Updated: 2025-03-07
  • Resolved: 2024-03-29
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 17 JDK 21 JDK 22 JDK 23 JDK 8
17.0.15-oracleResolved 21.0.7-oracleResolved 22.0.2Resolved 23Resolved 8u451-perfResolved
Description
JDK 17 introduced a performance improvement that made OCSP clients unconditionally use GET requests for small requests, while doing POST requests for everything else. This is explicitly allowed and recommended by RFC 5019 and RFC 6960. However, we have seen OCSP responders that, despite RFC requirements, are not working well with GET requests. 

This release introduces a new JDK system property to allow clients to fallback to POST-only behavior. This unblocks interactions with those OCSP responders through the use of `-Dcom.sun.security.ocsp.useget={false,true}`. This amends the original change that introduced GET OCSP requests (JDK-8179503). The default behavior is not changed; the option defaults to `true`. Set the option to `false` to disable GET OCSP requests. Any value other than `false` (case-insensitive) defaults to `true`.

This option is non-standard, and might go away once problematic OCSP responders get upgraded.
Comments
Release notes must end in either a Resolved -> Delivered or Withdrawn state.
29-03-2024
Sean, I touched up the wording a bit to make clearer this is a boolean option and its default value is "true".
27-03-2024
RN looks good. Please move state to Resolved/Delivered.
27-03-2024