0

I implemented java code, with java.security framework, which sends OCSP requests to an EJBCA OCSP responder in order to check the certificate revocation status of users who send HTTPS requests to my SOAP WebService.

I call this code from a SOAPHandler, so each time a HTTPS request is sends to my SOAP WebService the SOAPHandler catch it and then calls the code which sends the OCSP request. All of this works well.

My question is, is there java handlers for https connection or a way to make java.security framework calls my PKIXCertPathChecker check method automatically at each HTTPS connection ? It would allow me, in case of HTTPS Persistent Connections, to send OCSP request to EJBCA responder only at connection and not at each requests.

Jason Aller
  • 3,541
  • 28
  • 38
  • 38
Olivier
  • 1
  • OCSP request isn't sent with every HTTPS request. What makes you to think that? Clients (properly developed) cache OCSP responses and use it. And don't write your own crypto/cert validation logic, it won't be any better than well-proven and carefully tested built-in to framework. – Crypt32 Dec 18 '20 at 19:44
  • Nothing, If I knew a way to check revocation status during the HTTPS Handshake it will be better, that why I ask if there is handlers that do it. – Olivier Jan 04 '21 at 09:00
  • My application is server, not client so I can't use java ocsp (https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/ocsp.html#ocsp-stapling-and-certificate-revocation). And because of project, requirement I can use only free solution. @Crypt32 do you know one? – Olivier Jan 04 '21 at 09:05

0 Answers0