On Fri, 23 Jul 2021 13:18:16 GMT, Sean Mullan <mul...@openjdk.org> wrote:
> Have you thought about using a cached OCSPResponse to avoid the expiration > issues? You would not be testing a live OCSP network request/response, but it > might be an acceptable workaround for cases like this. For OCSP, it is possible to do backdated query and we do this when needed. The problem is some OCSP servers return UNAUTHORIZED error code after certificate expiry. We also need to update these certificates after expiry for CRL check. ------------- PR: https://git.openjdk.java.net/jdk/pull/4877
