RFR: 8179502: Enhance OCSP, CRL and Certificate Fetch Timeouts [v2]
Jamil Nimeh
jnimeh at openjdk.org
Tue May 9 15:59:34 UTC 2023
On Tue, 9 May 2023 15:55:24 GMT, Jamil Nimeh <jnimeh at openjdk.org> wrote:
>> src/java.base/share/classes/sun/security/provider/certpath/OCSP.java line 1:
>>
>>> 1: /*
>>
>> I see there is no way to individually control the OCSP read and connect timeouts like there is for certs and CRLs. Perhaps this isn't as big an issue, but when you set the OCSP timeout, it really means 2x what you set.
>
> Yes, I noticed that too. I wasn't sure if we needed to make a change there. I opted to leave well-enough alone since nobody was asking for it and it's one less property to keep track of. All of these property sets end up with a max latency of connect-timeout + read-timeout, and by default they are set to the same values. So in practice much of the time they are all 2x.
>
> It's easy enough I think to make a separate property for `com.sun.security.ocsp.readtimeout` and then the existing `.timeout` property would be for connect timeouts (keeping in line with the other props). I don't think it will introduce significant risk but I will highlight that in the CSR.
> I think you should also apply the cert and CRL timeouts to the `LDAPCertStore` implementation, using the JNDI properties: `com.sun.jndi.ldap.connect.timeout` and `com.sun.jndi.ldap.read.timeout`.
I will look into this.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/13762#discussion_r1188817169
More information about the security-dev
mailing list