RFR: 8179502: Enhance OCSP, CRL and Certificate Fetch Timeouts [v2]
Jamil Nimeh
jnimeh at openjdk.org
Fri May 19 20:05:09 UTC 2023
On Tue, 9 May 2023 15:56:02 GMT, Jamil Nimeh <jnimeh at openjdk.org> wrote:
>> Yes, I noticed that too. I wasn't sure if we needed to make a change there. I opted to leave well-enough alone since nobody was asking for it and it's one less property to keep track of. All of these property sets end up with a max latency of connect-timeout + read-timeout, and by default they are set to the same values. So in practice much of the time they are all 2x.
>>
>> It's easy enough I think to make a separate property for `com.sun.security.ocsp.readtimeout` and then the existing `.timeout` property would be for connect timeouts (keeping in line with the other props). I don't think it will introduce significant risk but I will highlight that in the CSR.
>
>> I think you should also apply the cert and CRL timeouts to the `LDAPCertStore` implementation, using the JNDI properties: `com.sun.jndi.ldap.connect.timeout` and `com.sun.jndi.ldap.read.timeout`.
>
> I will look into this.
I've added the OCSP readtimeout property, seems to be working well. As discussed offline we'll hold off on the LDAP changes for now.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/13762#discussion_r1199323604
More information about the security-dev
mailing list