如果设置了Security.setProperty("ocsp.enable", "true")，SSLSocket或SSLServerSocket连接会自动使用OCSP检查证书吊销吗？

创建套接字时是否必须手动进行OCSP检查？ （我没有使用CRL。）

您可以使用我提倡的TrustManager实施进行一些测试，该测试基于XueLei.Fan's blog上的OCSP检查代码。

我根据他们的Netty击中HttpSnoopClient将它与https://www.mozilla.org/en-US/一起使用了，并且可以正常工作。

import io.netty.handler.ssl.util.SimpleTrustManagerFactory;
import io.netty.util.internal.EmptyArrays;
import io.netty.util.internal.logging.InternalLogger;
import io.netty.util.internal.logging.InternalLoggerFactory;

import javax.net.ssl.ManagerFactoryParameters;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.security.KeyStore;
import java.security.Security;
import java.security.cert.*;
import java.util.*;

/**
 * TrustManager that verifies server certs using OCSP using the code found at
 * https://blogs.oracle.com/xuelei/entry/enable_ocsp_checking
 */
public class OCSPTrustManagerFactory extends SimpleTrustManagerFactory {
    private static final InternalLogger logger = InternalLoggerFactory
            .getInstance(OCSPTrustManagerFactory.class);
    public static final TrustManagerFactory INSTANCE = new OCSPTrustManagerFactory();
    private static final TrustManager tm = new X509TrustManager() {
        public void checkClientTrusted(X509Certificate[] chain, String s) {
            OCSPTrustManagerFactory.logger.debug("Accepting a client certificate: " + chain[0].getSubjectDN());
        }

        public void checkServerTrusted(X509Certificate[] chain, String s) {
            try {

                logger.debug("Certs size:{}", chain.length);
                logger.debug("Accepting a server certificate:{} ", chain[0].getSubjectDN());

                // if you work behind proxy, configure the proxy.
               // System.setProperty("http.proxyHost", "proxyHost");
                //System.setProperty("http.proxyPort", "proxyPort");

                CertPath path = generateCertificatePath(chain);
                Set anchors = generateTrustAnchors();

                PKIXParameters params = new PKIXParameters(anchors);

                // Activate certificate revocation checking
                params.setRevocationEnabled(true);

                // Activate OCSP
                Security.setProperty("ocsp.enable", "true");

                // Activate CRLDP
                System.setProperty("com.sun.security.enableCRLDP", "true");

                // Ensure that the ocsp.responderURL property is not set.
                if (Security.getProperty("ocsp.responderURL") != null) {
                    throw new
                            Exception("The ocsp.responderURL property must not be set");
                }

                CertPathValidator validator = CertPathValidator.getInstance("PKIX");

                validator.validate(path, params);
                logger.info("OCSP validation successful for Server certificate: {}", chain[0].getSubjectDN());
            } catch (Exception ex) {
                logger.error("Exception checking Server certificates", ex);
            }
        }

        public X509Certificate[] getAcceptedIssuers() {
            return EmptyArrays.EMPTY_X509_CERTIFICATES;
        }


    };

    private static CertPath generateCertificatePath(X509Certificate[] certs)
            throws CertificateException {
        // generate certificate from cert strings
        CertificateFactory cf = CertificateFactory.getInstance("X.509");

        return cf.generateCertPath(Arrays.asList(certs));
    }

    private static Set generateTrustAnchors() throws Exception {
        // generate certificate from cert string
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        // Load the JDK's cacerts keystore file
        String filename = System.getProperty("java.home") + "/lib/security/cacerts".replace('/', File.separatorChar);
        FileInputStream is = new FileInputStream(filename);
        KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
        String password = "changeit";
        keystore.load(is, password.toCharArray());

        // This class retrieves the most-trusted CAs from the keystore
        PKIXParameters params = new PKIXParameters(keystore);


        return params.getTrustAnchors();
    }

    private OCSPTrustManagerFactory() {
    }

    protected void engineInit(KeyStore keyStore)
            throws Exception {

        logger.debug("KeyStore is: {}", keyStore.toString());
    }

    protected void engineInit(ManagerFactoryParameters managerFactoryParameters)
            throws Exception {
    }

    protected TrustManager[] engineGetTrustManagers() {
        return new TrustManager[]{tm};
    }
}