ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel Kulp (Commented) (JIRA)" <>
Subject [jira] [Commented] (WSS-339) OCSP support
Date Thu, 16 Feb 2012 14:32:59 GMT


Daniel Kulp commented on WSS-339:

Freeman, as global settings in the VM, there is no possible way to use them to mimic per-request/per-service
without affect other parts of the system.    With the synchronized block like you describe,
you run into 2 major issues:

1) Performance - CRLDP and OCSP both involve network connections, data transfers, etc... 
Even on a local net with caching ocsp results and such, you'll likly add a millisecond or
two.  If it needs to go off to the internet to check the certs, it's more likely to be in
the 10's of milliseconds.   Your immediately limiting the entire system to less than 1000
req/sec (best case) and no amount of additional hardware or anything can help.    I'm -1 just
on that.

2) It doesn't solve the problem.   There are other users of the security certs and such besides
WSS4J.    The SSL stuff (used for things like ActiveMQ ssl connections, HttpsURLConnections,
Jetty, etc...) use it as does a lot of other things.   There is no way you can create a synchronized
lock and change the global settings that would not impact the other users of the API's.  
So I'm -1 on this as well.

If you need per-request/service checks, you'll need to find another solution that does not
involve the built in stuff controlled by system properties/global settings.   I believe BouncyCastle
has some OCSP stuff built in (they have an oscp package in the jar) that might be usable.
  I don't really know as I haven't looked at it. 

> OCSP support
> ------------
>                 Key: WSS-339
>                 URL:
>             Project: WSS4J
>          Issue Type: Improvement
>            Reporter: Freeman Fang
>            Assignee: Colm O hEigeartaigh
>         Attachments: WSS-339.patch
> currently WSS4J already support CRL for revocation check, it would be better that we
can also support OCSP through WSS4J configuration.
> Though we can set ocsp.enable property in $JAVA_HOME/jre/lib/security/ to
enable OCSP but it's effect JVM wide, I'd like to introduce a property in WSHandlerConstants
like enableOCSP which can trigger code like
> Security.setProperty("ocsp.enable", enableOCSP);
> This should be similar with the property enableRevocation,  the logic is
> if (enableRevocation && enableOCSP) {
>     //use OCSP to do revocation check.
> }

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:!default.jspa
For more information on JIRA, see:


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message