On 06/24/2015 09:32 PM, Xuelei Fan wrote:
src/java.base/share/classes/sun/security/ssl/X509TrustManagerImpl.java
======================================================================
A key/trust manager would better to be immutable.
private final ThreadLocal<Validator> clientValidator ...
private final ThreadLocal<Validator> serverValidator ...
ThreadLocal does not work here for some circumstance. In AIO
programming, multiple connections may share the same thread. Better to
keep key/trust manager and validator immutable.
I think, using the status as a validate() method parameter, rather than
update the validator status should work.
Sorry for taking a bit to respond. I had to look a little deeper into
Validator and PKIXValidator, but I understand now where you're going
with this. It does seem like a good way to keep things sane both in the
multi-threaded and single-thread AIO schemes. I'll get this coded up
and issue a new webrev with all the comments up to now.
Xuelei
On 6/19/2015 8:27 AM, Jamil Nimeh wrote:
Hello all,
I have a first cut at the OCSP stapling webrev posted for your review:
JEP: https://bugs.openjdk.java.net/browse/JDK-8046321
Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/8046321/webrev.0/
A couple items to note:
* I'm in the process of updating the JEP with some more details. I
should be done with these changes by tonight (PDT).
* Missing are some of the TLS end-to-end tests. These tests have been
coded and run outside the jtreg framework, but for some reason
things hang in jtreg. I've included some of the supporting classes
that these tests will use (CertificateBuilder.java and
SimpleOCSPResponder.java) so folks could review those if they're
interested. I will update the webrev and notify the list as soon as
I've got the tests working in jtreg.
Thanks to everyone who has helped along the way.
--Jamil
