Recent changes to the Java platform

OCSP stapling for TLS implements OCSP stapling via the TLS certificate status request extension. OSCP stapling checks the validity of X.509 certificates.

X.509 certificates are digital certificates that use the X509 Public Key Infrastructure (PKI).

Prior to Java 9, the certificate validity check (really, the check to see if the certificate has been revoked) could be enabled on the client side and had the following inefficiencies:

  • OCSP responder performance bottlenecks
  • Performance degradation based on multiple passes
  • Additional performance degradation if OCSP checking is performed on the client side
  • False fails when browsers do not connect to an OCSP responder
  • Susceptibility to denial of service attacks on OCSP responders

The new OCSP stapling for TLS includes the following system property changes for Java 9, 10, and 11:

  • jdk.tls.client.enableStatusRequestExtension:
    • Default setting: true
    • Enables the status_request extension
    • Enables the status_request_v2 extension
    • Enables processing CertificateStatus messages from the server
  • jdk.tls.server.enableStatusRequestExtension:
    • Default setting: false
    • Enables OCSP stapling support server-side
  • jdk.tls.stapling.responseTimeout:
    • Default setting: 5,000 milliseconds
    • Controls maximum time allocated by the server to obtain OCSP responses
  • jdk.tls.stapling.cacheSize:
    • Default setting: 256
    • Controls maximum number of cache entries
    • Can set maximum to zero eliminates ceiling
  • jdk.tls.stapling.cacheLifetime:
    • Default setting: 3,600 seconds (1 hour)
    • Controls the maximum lifetime of a cached response
    • Can set the value to zero in order to disable the cache's lifetime
  • jdk.tls.stapling.responderURI:
    • Default setting: none
    • Can set a default URI for certificates without the Authority Info Access (AIA) extension
    • Does not override the AIA extension unless the jdk.tls.stapling.Override property is set
  • jdk.tls.stapling.respoderOverride:
    • Default setting: false
    • Allows jdk.tls.stapling.responderURI provided property to override AIA extension values
  • jdk.tls.stapling.ignoreExtensions:
    • Default setting: false
    • Disables OCSP extension forwarding, as specified in status_request or status_request_v2 TLS extensions

The status_request and status_request_v2 TLS hello extensions are now supported by both client and server-side Java implementations.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset