On 6/23/2015 4:17 PM, Bernd Eckenfels wrote: > Hello, > > this is a general comment, not necesarily applicable for the OCSP > stapling options directly: > > Am Tue, 23 Jun 2015 15:39:30 +0800 > schrieb Xuelei Fan <[email protected]>: > >> Caches, for example session/trust manager/key manager, are used a lot >> in SSL/TLS handshaking. Dynamic system property may make the >> behavior a little bit complicated. In general, if not necessary, I >> would prefer to use static system property as what we did before for >> similar properties. Developers only need to understand one mode, as >> would simplify the learning curve, I think. > > But its a huge problem when you have to interface with multiple > partners. This especially is for turning features on and off. One > server does not allow to use SNI, the other requires it. One would use > a weak DHE key when DHE is enabled, the other would not use forward > secrecy without. Some implementation fails with OCSP extensions the > other not (etc). > > So a general interface for setting those parameters on the > context/sesssion/factory instead of (only) system properties would be > great. > Yes. System properties should not be the preferable approach. API level methods are needed. May address in a separated bug in the near future.
Thanks, Xuelei
