RFR: 8179502: Enhance OCSP, CRL and Certificate Fetch Timeouts [v2]
Jamil Nimeh
jnimeh at openjdk.org
Tue May 9 15:59:34 UTC 2023
On Tue, 9 May 2023 15:01:29 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> Jamil Nimeh has updated the pull request incrementally with one additional commit since the last revision:
>>
>> Add 's' suffix to allowed syntax
>
> src/java.base/share/classes/sun/security/provider/certpath/OCSP.java line 1:
>
>> 1: /*
>
> I see there is no way to individually control the OCSP read and connect timeouts like there is for certs and CRLs. Perhaps this isn't as big an issue, but when you set the OCSP timeout, it really means 2x what you set.
Yes, I noticed that too. I wasn't sure if we needed to make a change there. I opted to leave well-enough alone since nobody was asking for it and it's one less property to keep track of. All of these property sets end up with a max latency of connect-timeout + read-timeout, and by default they are set to the same values. So in practice much of the time they are all 2x.
It's easy enough I think to make a separate property for `com.sun.security.ocsp.readtimeout` and then the existing `.timeout` property would be for connect timeouts (keeping in line with the other props). I don't think it will introduce significant risk but I will highlight that in the CSR.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/13762#discussion_r1188816429
More information about the security-dev
mailing list