[jdk17u-dev] RFR: 8179502: Enhance OCSP, CRL and Certificate Fetch Timeouts [v2]
Francisco Ferrari Bihurriet
fferrari at openjdk.org
Wed Nov 13 13:16:45 UTC 2024
On Tue, 12 Nov 2024 03:50:28 GMT, Alexey Bakhtin <abakhtin at openjdk.org> wrote:
>> Hello, I'd like to backport JDK-8179502 to JDK17u to improve the timeout adjustment for OCSP GET requests (which was missed in JDK-8179503).
>>
>> The backport is almost clean except for the following:
>> - OCSP.java was merged manually because of JDK-8328638 and JDK-8329213 is already backported into 17u-dev
>> - copyright year in GetPropertyAction.java and URICertStore.java files are updated manually
>> - CRLReadTimeout.java test is updated manually because of the different notation of internal X509CRLImpl and CRLExtensions classes.
>>
>> All new and related jtreg tests are passed
>
> Alexey Bakhtin has updated the pull request incrementally with one additional commit since the last revision:
>
> Change default readtimeout to CONNECT_TIMEOUT
src/java.base/share/classes/sun/security/provider/certpath/OCSP.java line 72:
> 70:
> 71: private static final int DEFAULT_CONNECT_TIMEOUT = 15000;
> 72: private static final int DEFAULT_READ_TIMEOUT = 15000;
Hi @alexeybakhtin and @GoeLin,
After e73f8c1a0301574a3248081a80142d7fbc9c8b74, `DEFAULT_READ_TIMEOUT` is now unused and can be removed.
Apparently, this backward-compatibility problem went undetected in the original change. Please also note that the behavior is no longer aligned with [the CSR](https://bugs.openjdk.org/browse/JDK-8337407 "JDK-8337407: Enhance OCSP, CRL and Certificate Fetch Timeouts") (emphasis by me):
> For __*all properties*__, existing and new, the proposed expanded syntax will conform to the following:
>
> - […]
> - As with the current behavior, non-numeric, non-decimal (e.g. hexadecimal values prepended by "0x", etc) values will be interpreted as illegal and __*will default to the 15 second timeout*__. The same is true for negative values.
`com.sun.security.ocsp.readtimeout` is now an exceptional case, it won't default to the 15 seconds timeout, but to `com.sun.security.ocsp.timeout` (which defaults to 15 seconds).
Should the CSR be adjusted? Otherwise, how do we ensure Oracle's backport behaves the same way? I don't have enough backporting experience, is it usually accepted to diverge from newer releases (≥ 21u) in a backport CSR?
-------------
PR Review Comment: https://git.openjdk.org/jdk17u-dev/pull/2747#discussion_r1840245556
More information about the jdk-updates-dev
mailing list