OCSP Stapling has been supported in Java since JDK 8. There is an excellent document from Oracle which describes it in detail.
Client-Driven OCSP and OCSP Stapling
Example of creating the SSLContext can be found in the OCSP Example Class These are the methods of interest...
| Description | Method |
|---|---|
| Standard TLS | createStandardContext() |
| Vm Wide Check Revocation | createVmWideOcspCheckRevocationContext() |
| Vm Wide Don't Check Revocation | createVmWideOcspDontCheckRevocationContext() |
| Siloed Check Revocation | createSiloedContextCheckRevocation() |
It's actually trivial to turn on Client Side OCSP revocation checking. It's as simple at this code, adding system properties:
System.setProperty("jdk.tls.client.enableStatusRequestExtension", "true");
System.setProperty("com.sun.net.ssl.checkRevocation", "true");The caveat here is that these properties apply to every single SSLContext running in that VM.
These properties are checked at runtime, each time a TLS handshake is made, so it cannot be turned on
to create an SSLContext then turned off. If it is turned off, revocation checking will not happen.
If it's that easy to turn on OCSP stapling with revocation, why do we need the example?
Consider 3 different types of connections.
- Standard TLS
- OCSP with revocation checking
- OCSP without revocation checking
It appears that setting the system properties does not affect Standard TLS certificate handshakes.
But if you need both OCSP with revocation checking and OCSP without, you cannot use the com.sun.net.ssl.checkRevocation property,
so must use the siloed implementation for the context that will check revocation.
Find your configuration in this table to see if you have to set the system properties / which OCSP context implementation to use.
| Have Standard TLS? | Have OCSP With Revocation? | Have OCSP Without Revocation? | Enable Status Request Extension Flag? | Check Revocation Flag? | Use Context Implementations |
|---|---|---|---|---|---|
| Yes | No | No | false | false | Standard TLS |
| Yes | Yes | No | true | true | Standard TLS and Vm Wide Check Revocation |
| Yes | No | Yes | true | false | Standard TLS and Vm Wide Don't Check Revocation |
| Yes | Yes | Yes | true | false | Standard TLS, Siloed Check Revocation and Vm Wide Don't Check Revocation |
| No | No | No | false | false | None |
| No | Yes | No | true | true | Vm Wide Check Revocation |
| No | No | Yes | true | false | Vm Wide Don't Check Revocation |
| No | Yes | Yes | true | false | Siloed Check Revocation and Vm Wide Don't Check Revocation |
Please be aware. There are a few examples on the internet that guided development examples, in fact the siloed version is almost identical to those,
but none of them set the enableStatusRequestExtension flag. As far as we can tell it simply does not work without setting the flag!
This example leverages the SSLContext Kickstart project
which operates under the Apache License 2.0
Their library had some functionality scoped private which we needed to use directly so we copied it and made it public.
This usage is allowed by Apache 2.0 license policy, but we are noting it here for full transparency.
That library and this example both use Bouncy Castle which has this Licence, an MIT License
Unless otherwise noted, NATS source files are distributed under Apache Version 2.0