RFR: 8179502: Enhance OCSP, CRL and Certificate Fetch Timeouts
Jamil Nimeh
jnimeh at openjdk.org
Tue May 2 23:23:17 UTC 2023
On Tue, 2 May 2023 22:33:47 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> This set of enhancements extends the allowed syntax for the `com.sun.security.ocsp.timeout`, `com.sun.security.crl.timeout` and `com.sun.security.crl.readtimeout` System properties. These properties retain their current behavior where a purely numeric value is interpreted in seconds, but now the numeric value may also be appended with "ms" (case-insensitive) to be interpreted as milliseconds.
>>
>> This enhancement also adds two new System properties: `com.sun.security.cert.timeout` and `com.sun.security.cert.readtimeout` which follow the same new allowed syntax. These timeouts only come into play when an AIA extension on a certificate is followed for pulling the issuing authority certificate and only when the `com.sun.security.enableAIAcaIssuers` property is true (default false).
>>
>> JBS: https://bugs.openjdk.org/browse/JDK-8179502
>> CSR: https://bugs.openjdk.org/browse/JDK-8300722
>
> src/java.base/share/classes/sun/security/action/GetPropertyAction.java line 192:
>
>> 190:
>> 191: // Determine if "ms" is on the end of the string
>> 192: boolean isMillis = propVal.toLowerCase().endsWith("ms");
>
> Shall we allow the `s` suffix as well? This makes it clear that a value is in seconds.
Well, all the existing documentation already states that they are in seconds. That was why I didn't add any additional suffixes. The goal was to make it so folks don't need to make any changes if the existing seconds-level granularity is sufficient for them.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/13762#discussion_r1183129362
More information about the security-dev
mailing list