[PR #553] [MERGED] Do not enable TLS certificate revocation checks by default #621

New Issue

adam · 2025-12-30T01:25:42+01:00

adam commented

2025-12-30 01:25:42 +01:00

📋 Pull Request Information

Original PR: https://github.com/apple/pkl/pull/553
Author: @bioball
Created: 6/27/2024
Status: ✅ Merged
Merged: 6/28/2024
Merged by: @bioball

Base: main ← Head: soft-fail-ocsp

📝 Commits (3)

1940627 Make OCSP checks soft-fail
b13b970 Do not check revocation status by default
a181385 Fix two issues

📊 Changes

6 files changed (+36 additions, -77 deletions)

View changed files

📝 pkl-cli/pkl-cli.gradle.kts (+1 -37)
📝 pkl-commons-cli/src/main/kotlin/org/pkl/commons/cli/CliCommand.kt (+13 -1)
📝 pkl-commons-cli/src/main/kotlin/org/pkl/commons/cli/CliMain.kt (+0 -4)
📝 pkl-commons-cli/src/main/resources/org/pkl/commons/cli/PklCARoots.pem (+0 -0)
📝 pkl-core/src/main/java/org/pkl/core/http/JdkHttpClient.java (+20 -34)
📝 pkl-core/src/main/java/org/pkl/core/runtime/ModuleCache.java (+2 -1)

📄 Description

This addresses an issue where network requests may fail if cert revocation checks error, which may occur due to availability issues, or due to lack of internet access.

This changes the HTTP client to not check revocation on TLS certificates by default.
Users of the Java client can enable this by setting Java property com.sun.net.ssl.checkRevocation to true.

Users of the native executables will not perform revocation checks.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/apple/pkl/pull/553 **Author:** [@bioball](https://github.com/bioball) **Created:** 6/27/2024 **Status:** ✅ Merged **Merged:** 6/28/2024 **Merged by:** [@bioball](https://github.com/bioball) **Base:** `main` ← **Head:** `soft-fail-ocsp` --- ### 📝 Commits (3) - [`1940627`](https://github.com/apple/pkl/commit/194062741cb94979f2a7934e6fd430f5e773b832) Make OCSP checks soft-fail - [`b13b970`](https://github.com/apple/pkl/commit/b13b970fc9da9236e02f975fb3c55a044a9ae89f) Do not check revocation status by default - [`a181385`](https://github.com/apple/pkl/commit/a1813853bc8825886bfd1ff2f1a8d2ed5db8d814) Fix two issues ### 📊 Changes **6 files changed** (+36 additions, -77 deletions) <details> <summary>View changed files</summary> 📝 `pkl-cli/pkl-cli.gradle.kts` (+1 -37) 📝 `pkl-commons-cli/src/main/kotlin/org/pkl/commons/cli/CliCommand.kt` (+13 -1) 📝 `pkl-commons-cli/src/main/kotlin/org/pkl/commons/cli/CliMain.kt` (+0 -4) 📝 `pkl-commons-cli/src/main/resources/org/pkl/commons/cli/PklCARoots.pem` (+0 -0) 📝 `pkl-core/src/main/java/org/pkl/core/http/JdkHttpClient.java` (+20 -34) 📝 `pkl-core/src/main/java/org/pkl/core/runtime/ModuleCache.java` (+2 -1) </details> ### 📄 Description This addresses an issue where network requests may fail if cert revocation checks error, which may occur due to availability issues, or due to lack of internet access. This changes the HTTP client to not check revocation on TLS certificates by default. Users of the Java client can enable this by setting Java property `com.sun.net.ssl.checkRevocation` to `true`. Users of the native executables will not perform revocation checks. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

adam added the pull-request label 2025-12-30 01:25:42 +01:00

adam closed this issue

2025-12-30 01:25:42 +01:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pkl#621