[jdk17u-dev] RFR: 8179502: Enhance OCSP, CRL and Certificate Fetch Timeouts [v2]

Alexey Bakhtin abakhtin at openjdk.org
Wed Nov 13 18:21:39 UTC 2024 

On Wed, 13 Nov 2024 13:11:11 GMT, Francisco Ferrari Bihurriet <fferrari at openjdk.org> wrote:

>> Alexey Bakhtin has updated the pull request incrementally with one additional commit since the last revision:
>> 
>>   Change default readtimeout to CONNECT_TIMEOUT
>
> src/java.base/share/classes/sun/security/provider/certpath/OCSP.java line 72:
> 
>> 70: 
>> 71:     private static final int DEFAULT_CONNECT_TIMEOUT = 15000;
>> 72:     private static final int DEFAULT_READ_TIMEOUT = 15000;
> 
> Hi @alexeybakhtin and @GoeLin,
> 
> After e73f8c1a0301574a3248081a80142d7fbc9c8b74, `DEFAULT_READ_TIMEOUT` is now unused and can be removed.
> 
> Apparently, this backward-compatibility problem went undetected in the original change. Please also note that the behavior is no longer aligned with [the CSR](https://bugs.openjdk.org/browse/JDK-8337407 "JDK-8337407: Enhance OCSP, CRL and Certificate Fetch Timeouts") (emphasis by me):
>> For __*all properties*__, existing and new, the proposed expanded syntax will conform to the following:
>>
>> - […]
>> - As with the current behavior, non-numeric, non-decimal (e.g. hexadecimal values prepended by "0x", etc) values will be interpreted as illegal and __*will default to the 15 second timeout*__. The same is true for negative values.
> 
> `com.sun.security.ocsp.readtimeout` is now an exceptional case, it won't default to the 15 seconds timeout, but to `com.sun.security.ocsp.timeout` (which defaults to 15 seconds).
> 
> Should the CSR be adjusted? Otherwise, how do we ensure Oracle's backport behaves the same way? I don't have enough backporting experience, is it usually accepted to diverge from newer releases (≥ 21u) in a backport CSR?

Hi @franferrax 
Thank you for the finding. I'll remove  `DEFAULT_READ_TIMEOUT` 
You are right, the CSR for update releases should be updated for `com.sun.security.ocsp.readtimeout` default value. I'll do it and ask you to review it from an engineering point of view. 
I hope in this way, without backward compatibility, the patch will be accepted.

-------------

PR Review Comment: https://git.openjdk.org/jdk17u-dev/pull/2747#discussion_r1840959784

More information about the jdk-updates-dev mailing list