On Thu, 31 Dec 2020 04:58:50 GMT, Xue-Lei Andrew Fan <xue...@openjdk.org> wrote:
>> Jamil Nimeh has updated the pull request with a new target base due to a
>> merge or a rebase. The incremental webrev excludes the unrelated changes
>> brought in by the merge/rebase. The pull request contains four additional
>> commits since the last revision:
>>
>> - Merge
>> - Change IO to use readExactlyNBytes method
>> - Merge
>> - 8179503: Java should support GET OCSP calls
>
> src/java.base/share/classes/sun/security/provider/certpath/OCSP.java line 240:
>
>> 238: encodeToString(bytes), "UTF-8");
>> 239:
>> 240: if (encodedGetReq.length() <= 255) {
>
> If the request less than 256, the GET method will be used. RFC 6960 declare
> this as a "MAY" feature ("To enable HTTP caching, small requests ... MAY be
> submitted using GET"). Although RFC 5019 declare it as a "MUST" feature
> ("When sending requests that are less than or equal to 255 bytes ... clients
> MUST use the GET method"), but RFC 5109 is released before RFC 6960. I'm not
> very sure if there is interop issues that a server may not accept the "Get"
> method for some reasons. I don't worry about it too much, but just for sure
> you have considered the cases.
I've tried the GET code with various public OCSP responders as well as a few
things like OpenSSL's ocsp command (1.1.1d) and Dogtag 10. There is the
potential for some compatibility issues, but I think it's pretty small. For
instance, OpenSSL's 1.0.2 and earlier's ocsp command running in daemon mode
does not accept GET requests at all. But with 1.1.0 and onward, GET is fully
supported. I don't think that specifically would be an issue in any large
scale deployment - I doubt those large-scale implementations use something like
openssl ocsp. There are some clients like the OCSP stapling subsystem in Nginx
that will use GETs for small requests also, so I would hope that server-side
support would be pretty widespread by now (HTTP GET was even in RFC 2560).
-------------
PR: https://git.openjdk.java.net/jdk/pull/1760
