Release Date: 2021-10-08
Broken TLSv1.3 handshake with Java 11.0.12
When running OCSP with Java 11.0.12, it was no longer possible to perform a successful TLS handshake with TLSv1.3 towards OCSP if the server TLS key is an RSA key. A Java code update of the TLSv1.3 protocol broke the RSASSA-PSS signature scheme used by TLSv1.3 in the Nexus ID2 provider.
OCSP response thisUpdate and nextUpdate for non-issued certs
This correction will make OCSP server set the
nextUpdate timestamps of the OCSP response for a certificate which is non-issued and not revoked to the corresponding values from the latest CIL for the issuer. Previously these values where taken from the last CRL.
Full CRL/CIL nextUpdate time
nextUpdate time for the case when a full CIL/CRL replaces the previous CIL/CRL + delta(s). In this case the CIL/CRL should get the
nextUpdate of the delta.
Validator cacheDir configuration uniqueness check
It has been possible to configure multiple validators in ocsp.properties to use the (same) default cacheDir. When configured this way, it has sometimes caused OCSP to send incorrect responses. This change will cause OCSP startup failure (with an error message) if configured in this incorrect way. It is not recommended to configure more than one validator per type (CRL and CIL). Read more here: Validation section.
Detailed feature list
For a detailed overview of changed functionality, deprecated functions and corrected problems, see Release.txt which is provided with the installation media.
For information regarding support, training and other services in your area, please visit our website at www.nexusgroup.com/.
Nexus offers maintenance and support services for Nexus OCSP Responder to customers and partners. For more information, please refer to the Nexus Technical Support at www.nexusgroup.com/support/, or contact your local sales representative.