Reputation: 115
Java 9 and TLS OCSP stapling
I have installed Java 9 because I want to use the OCSP (Online Certificate Status Protocol) feature with the TLS handshake, aka OCSP stapling. As https://docs.oracle.com/javase/9/security/java-pki-programmers-guide.htm#JSSEC-unique_4307382 states, Java 9 is the first edition to make use of OCSP stapling.
To test it, you can set or read certain new properties, such as "jdk.tls.server.enableStatusRequestExtension".
However, I get "null" instead of "false" (or "true") when querying this property with
System.getProperty("jdk.tls.server.enableStatusRequestExtension")
Just tried it out with the new jShell:
[jshell> System.getProperty("jdk.tls.server.enableStatusRequestExtension")
$2 ==> null
This is not supposed to happen with Java 9. Any ideas why? It is a so-called Early Access build which I downloaded two days ago. The official release of Java 9 is September 21st 2017 (yesterday). Unfortunately, there is no released version out yet for Mac OSX. Could it really be that this feature is not yet implemented in the Early Access Build (which is supposed to be close to the final release)?
Hope anyone can help here.
Upvotes: 0
Views: 2492
Answers (1)
Reputation: 17373
jshell returns null for your call to System.getProperty("jdk.tls.server.enableStatusRequestExtension") because that property does not exist. I get the same result under Java 9.
You seem to expect that property to automatically exist under Java 9 but that is not the case; you still need to explicitly create it, and assign it a value of "true". From JEP 249, that implemented this feature in Java 9:
The implementation will choose reasonable defaults for OCSP specific parameters, and will provide configuration of these defaults via the following system properties...
That doesn't mean that all of the OCSP properties automatically exist in Java 9 with default settings; it means that in the absence of those OCSP System properties the code will "choose reasonable defaults". For example, if the server cannot read the property jdk.tls.server.enableStatusRequestExtension the implementation will (reasonably) behave as though the property had been set with a value of "false".
See also this code example for OCSP from an Oracle presentation on security:
// Enable OCSP Stapling (off by default) System.setProperty(“jdk.tls.server.enableStatusRequestExtension”, “true”); // Yes, that’s really it!
So I suggest that you just explicitly set your client and server properties for OCSP as necessary, and don't worry about them not already existing under Java 9.
TLDR version: Java 9 supports OCSP stapling for TLS, but assumes that it is not enabled in the absence of any explicit configuration from the user.
Upvotes: 1
Related Questions
- OCSP check in Java secure sockets
- How to enable OCSP stapling on java TLS server?
- Java 1.8.0_271 non-compliant to TLS RFC: during handshake, server closes TCP connection without close_notify or alert
- Handshake Failure with TLS 1.3 under JDK 11
- TLS 1.3 handshake failure when using OpenJDK 14 java module runtime
- SSL Handshake failure with Java version "1.7.0_79"
- Java 8 SSL Handshake failure
- The SSL / TLS handshake between a "Java 1.7 TLS 1.2 server" and a "Java 1.6 client"
- Java OCSP Client using openSSL
- Why do I get a handshake failure between TLS 1.0 client and SSL 3.0 server?