如何在 X509TrustManager 中启用 OCSP?
How to enable OCSP in X509TrustManager?
System.setProperty("com.sun.net.ssl.checkRevocation", "true");
Security.setProperty("ocsp.enable", "true");
设置这些属性真的足以启用 OCSP 吗?
如果是这样,那为什么我们需要 bouncy castle OCSP 支持而不只是设置此属性?
如果证书包含 授权信息访问扩展 (OCSPSigning) 那么您无需做更多事情,然后设置您提到的属性。
System.setProperty("com.sun.net.ssl.checkRevocation", "true");
Security.setProperty("ocsp.enable", "true");
有关详细信息,请参阅 RFC3280 and How to up OCSP using OpenSSL。
如果您的 CA 不为颁发的证书提供此扩展,那么您可以通过设置 属性
配置响应者 URL
Security.setProperty("ocsp.responderURL", ...)
By default, the location of the OCSP responder is determined implicitly from the certificate being validated. The property is used when the Authority Information Access extension (defined in RFC 3280) is absent from the certificate or when it requires overriding.
如果您的 OCSP 响应者的证书与颁发者的证书不匹配,那么您可以通过设置
来设置备用主题名称
Security.setProperty("ocsp.responderCertSubjectName", ...);
By default, the certificate of the OCSP responder is that of the issuer of the certificate being validated. This property identifies the certificate of the OCSP responder when the default does not apply. Its value is a string distinguished name (defined in RFC 2253) which identifies a certificate in the set of certificates supplied during cert path validation. In cases where the subject name alone is not sufficient to uniquely identify the certificate, then both the ocsp.responderCertIssuerName and ocsp.responderCertSerialNumber properties must be used instead. When th is property is set, then those two properties are ignored.
有关可用于配置 OCSP 的所有属性的说明,请参阅 JavaTM PKI Programmer's Guide。
为什么我们需要 bouncy castle OCSP 支持而不只是设置此属性?
没有人说您必须使用充气城堡作为安全提供程序。至少在使用 JRE 1.8 的情况下,使用默认的 sun JCE 是可以的。
System.setProperty("com.sun.net.ssl.checkRevocation", "true");
Security.setProperty("ocsp.enable", "true");
设置这些属性真的足以启用 OCSP 吗?
如果是这样,那为什么我们需要 bouncy castle OCSP 支持而不只是设置此属性?
如果证书包含 授权信息访问扩展 (OCSPSigning) 那么您无需做更多事情,然后设置您提到的属性。
System.setProperty("com.sun.net.ssl.checkRevocation", "true");
Security.setProperty("ocsp.enable", "true");
有关详细信息,请参阅 RFC3280 and How to up OCSP using OpenSSL。
如果您的 CA 不为颁发的证书提供此扩展,那么您可以通过设置 属性
配置响应者 URLSecurity.setProperty("ocsp.responderURL", ...)
By default, the location of the OCSP responder is determined implicitly from the certificate being validated. The property is used when the Authority Information Access extension (defined in RFC 3280) is absent from the certificate or when it requires overriding.
如果您的 OCSP 响应者的证书与颁发者的证书不匹配,那么您可以通过设置
来设置备用主题名称Security.setProperty("ocsp.responderCertSubjectName", ...);
By default, the certificate of the OCSP responder is that of the issuer of the certificate being validated. This property identifies the certificate of the OCSP responder when the default does not apply. Its value is a string distinguished name (defined in RFC 2253) which identifies a certificate in the set of certificates supplied during cert path validation. In cases where the subject name alone is not sufficient to uniquely identify the certificate, then both the ocsp.responderCertIssuerName and ocsp.responderCertSerialNumber properties must be used instead. When th is property is set, then those two properties are ignored.
有关可用于配置 OCSP 的所有属性的说明,请参阅 JavaTM PKI Programmer's Guide。
为什么我们需要 bouncy castle OCSP 支持而不只是设置此属性?
没有人说您必须使用充气城堡作为安全提供程序。至少在使用 JRE 1.8 的情况下,使用默认的 sun JCE 是可以的。