RFR: 8179502: Enhance OCSP, CRL and Certificate Fetch Timeouts [v2]

[Jamil Nimeh]

On Tue, 9 May 2023 15:56:02 GMT, Jamil Nimeh <jnimeh at openjdk.org> wrote:

>> Yes, I noticed that too.  I wasn't sure if we needed to make a change there.  I opted to leave well-enough alone since nobody was asking for it and it's one less property to keep track of.  All of these property sets end up with a max latency of connect-timeout + read-timeout, and by default they are set to the same values.  So in practice much of the time they are all 2x.
>> 
>> It's easy enough I think to make a separate property for `com.sun.security.ocsp.readtimeout` and then the existing `.timeout` property would be for connect timeouts (keeping in line with the other props).  I don't think it will introduce significant risk but I will highlight that in the CSR.
>
>> I think you should also apply the cert and CRL timeouts to the `LDAPCertStore` implementation, using the JNDI properties: `com.sun.jndi.ldap.connect.timeout` and `com.sun.jndi.ldap.read.timeout`.
> 
> I will look into this.

I've added the OCSP readtimeout property, seems to be working well.  As discussed offline we'll hold off on the LDAP changes for now.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/13762#discussion_r1199323604