Hello, this is a general comment, not necesarily applicable for the OCSP stapling options directly:
Am Tue, 23 Jun 2015 15:39:30 +0800 schrieb Xuelei Fan <xuelei....@oracle.com>: > Caches, for example session/trust manager/key manager, are used a lot > in SSL/TLS handshaking. Dynamic system property may make the > behavior a little bit complicated. In general, if not necessary, I > would prefer to use static system property as what we did before for > similar properties. Developers only need to understand one mode, as > would simplify the learning curve, I think. But its a huge problem when you have to interface with multiple partners. This especially is for turning features on and off. One server does not allow to use SNI, the other requires it. One would use a weak DHE key when DHE is enabled, the other would not use forward secrecy without. Some implementation fails with OCSP extensions the other not (etc). So a general interface for setting those parameters on the context/sesssion/factory instead of (only) system properties would be great. Gruss Bernd
