On Tue, 10 Jan 2023 18:26:50 GMT, Xue-Lei Andrew Fan <xue...@openjdk.org> wrote:
>> Well, in the case of a 404 what appears to happen is that HttpURLConnection >> would throw a FileNotFoundException. That ultimately would result in a CPVE >> if there were no other sources of revocation information (e.g. CRL) for that >> certificate. > > It may be more effective/accuracy to stop read OCSP response bytes if > response code is not OK. Logging the error code and returning with no read and not throwing an exception I believe would still work since the revocation information would be missing. I'm wondering though if this needs to be a separate issue given that we're talking about a different use case, and one that involves the behavior of HttpURLConnection when dealing with different response codes. I'll also check to see if there are existing tests that make CPV checks against URIs that have non-200 response codes. ------------- PR: https://git.openjdk.org/jdk/pull/11917
