RFR: 8179502: Enhance OCSP, CRL and Certificate Fetch Timeouts [v2]
Sean Mullan
mullan at openjdk.org
Tue May 9 15:04:19 UTC 2023
On Wed, 3 May 2023 13:15:32 GMT, Jamil Nimeh <jnimeh at openjdk.org> wrote:
>> This set of enhancements extends the allowed syntax for the `com.sun.security.ocsp.timeout`, `com.sun.security.crl.timeout` and `com.sun.security.crl.readtimeout` System properties. These properties retain their current behavior where a purely numeric value is interpreted in seconds, but now the numeric value may also be appended with "ms" (case-insensitive) to be interpreted as milliseconds.
>>
>> This enhancement also adds two new System properties: `com.sun.security.cert.timeout` and `com.sun.security.cert.readtimeout` which follow the same new allowed syntax. These timeouts only come into play when an AIA extension on a certificate is followed for pulling the issuing authority certificate and only when the `com.sun.security.enableAIAcaIssuers` property is true (default false).
>>
>> JBS: https://bugs.openjdk.org/browse/JDK-8179502
>> CSR: https://bugs.openjdk.org/browse/JDK-8300722
>
> Jamil Nimeh has updated the pull request incrementally with one additional commit since the last revision:
>
> Add 's' suffix to allowed syntax
I think you should also apply the cert and CRL timeouts to the `LDAPCertStore` implementation, using the JNDI properties: `com.sun.jndi.ldap.connect.timeout` and `com.sun.jndi.ldap.read.timeout`.
src/java.base/share/classes/sun/security/provider/certpath/OCSP.java line 1:
> 1: /*
I see there is no way to individually control the OCSP read and connect timeouts like there is for certs and CRLs. Perhaps this isn't as big an issue, but when you set the OCSP timeout, it really means 2x what you set.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/13762#issuecomment-1540310480
PR Review Comment: https://git.openjdk.org/jdk/pull/13762#discussion_r1188745318
More information about the security-dev
mailing list