8328638: Fallback option for POST-only OCSP requests

[shipilev]

Improves JDK OCSP compatibility with some real world OCSP responders. Starts to be a problem since JDK 17 introduced GET OCSP requests. The default behavior is not changed.

The backports are almost clean, I just had to add the import for Locale and Debug in one of the files. Locale is added in mainline by JDK-8312443, which I do not want to backport at the moment, as it changes existing security code. Debug is added by JDK-8179502, which is also not amenable for easy backporting.

Additional testing:

• jdk_security pass, includes new test cases

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• Change requires CSR request JDK-8328810 to be approved
• JDK-8328638 needs maintainer approval
• JDK-8329213 needs maintainer approval

Issues

• JDK-8328638: Fallback option for POST-only OCSP requests (Enhancement - P4 - Approved)
• JDK-8329213: Better validation for com.sun.security.ocsp.useget option (Enhancement - P4 - Approved)
• JDK-8328810: Fallback option for POST-only OCSP requests (CSR)

Reviewers

• Sergey Bylokhov (@mrserb - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk17u-dev.git pull/2338/head:pull/2338
$ git checkout pull/2338

Update a local copy of the PR:
$ git checkout pull/2338
$ git pull https://git.openjdk.org/jdk17u-dev.git pull/2338/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 2338

View PR using the GUI difftool:
$ git pr show -t 2338

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk17u-dev/pull/2338.diff

Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back shade! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@shipilev This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8328638: Fallback option for POST-only OCSP requests
8329213: Better validation for com.sun.security.ocsp.useget option

Reviewed-by: serb

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 23 new commits pushed to the master branch:

• 31ba7e0: 8316462: sun/jvmstat/monitor/MonitoredVm/MonitorVmStartTerminate.java ignores VM flags
• b96339f: 8308021: Update IANA Language Subtag Registry to Version 2023-05-11
• 261e45a: 8306031: Update IANA Language Subtag Registry to Version 2023-04-13
• 3764735: 8295026: Remove unused fields in StyleSheet
• e789a67: 8325876: crashes in docker container tests on Linuxppc64le Power8 machines
• 1b72e51: 8325862: set -XX:+ErrorFileToStderr when executing java in containers for some container related jtreg tests
• fbcb399: 8326140: src/jdk.accessibility/windows/native/libjavaaccessbridge/AccessBridgeJavaEntryPoints.cpp ReleaseStringChars might be missing in early returns
• 9a0e875: 8307411: Test java/foreign/channels/TestAsyncSocketChannels.java failed: IllegalStateException: Already closed
• e913fa7: 8303457: Introduce convenience test library APIs for creating test servers for tests in test/jdk/java/net/httpclient
• 7a47adf: 8290126: Add a check in JavadocTester for "javadoc should not crash"
• ... and 13 more: https://git.openjdk.org/jdk17u-dev/compare/4ececadadd3d75d5468c77ff1fab0723b19ad497...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

[openjdk]

This backport pull request has now been updated with issue from the original commit.

[shipilev]

/issue add JDK-8329213

[openjdk]

@shipilev
Adding additional issue to issue list: 8329213: Better validation for com.sun.security.ocsp.useget option.

[mlbridge]

Webrevs

• 00: Full (c5570477)

[openjdk]

⚠️ @shipilev This change is now ready for you to apply for maintainer approval. This can be done directly in each associated issue or by using the /approval command.

[shipilev]

/approval 8328638 request Improves JDK OCSP compatibility with some real world OCSP responders. Starts to be a problem since JDK 17 introduced GET OCSP requests. Risk is medium-low, as default behavior is not changed, and the code is simple. Passes full jdk_security tests, eyeballed logs show the expected behavior.

/approval 8329213 request Option checking followup for JDK-8328638. Risk is low, simple refactoring. Passes full jdk_security tests, eyeballed logs show the expected behavior.

[openjdk]

@shipilev
8328638: The approval request has been created successfully.

[openjdk]

@shipilev
8329213: The approval request has been created successfully.

[shipilev]

@jerboaa, @RealCLanger -- what do you think about this one? Would be nice to unblock JDK 17 for folks.

[RealCLanger]

Makes sense.

/approve

[openjdk]

@RealCLanger usage: /approve [<id>] (yes|no)

[RealCLanger]

/approve yes

[openjdk]

@RealCLanger
8328638: The approval request has been approved.
8329213: The approval request has been approved.

[shipilev]

/integrate

[openjdk]

Going to push as commit 533fac6.
Since your change was applied there have been 23 commits pushed to the master branch:

• 31ba7e0: 8316462: sun/jvmstat/monitor/MonitoredVm/MonitorVmStartTerminate.java ignores VM flags
• b96339f: 8308021: Update IANA Language Subtag Registry to Version 2023-05-11
• 261e45a: 8306031: Update IANA Language Subtag Registry to Version 2023-04-13
• 3764735: 8295026: Remove unused fields in StyleSheet
• e789a67: 8325876: crashes in docker container tests on Linuxppc64le Power8 machines
• 1b72e51: 8325862: set -XX:+ErrorFileToStderr when executing java in containers for some container related jtreg tests
• fbcb399: 8326140: src/jdk.accessibility/windows/native/libjavaaccessbridge/AccessBridgeJavaEntryPoints.cpp ReleaseStringChars might be missing in early returns
• 9a0e875: 8307411: Test java/foreign/channels/TestAsyncSocketChannels.java failed: IllegalStateException: Already closed
• e913fa7: 8303457: Introduce convenience test library APIs for creating test servers for tests in test/jdk/java/net/httpclient
• 7a47adf: 8290126: Add a check in JavadocTester for "javadoc should not crash"
• ... and 13 more: https://git.openjdk.org/jdk17u-dev/compare/4ececadadd3d75d5468c77ff1fab0723b19ad497...master

Your commit was automatically rebased without conflicts.

[openjdk]

@shipilev Pushed as commit 533fac6.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.