RFR: 8179502: Enhance OCSP, CRL and Certificate Fetch Timeouts [v4]
Jamil Nimeh
jnimeh at openjdk.org
Mon May 22 23:54:49 UTC 2023
On Mon, 22 May 2023 17:39:59 GMT, Jamil Nimeh <jnimeh at openjdk.org> wrote:
>> src/java.base/share/classes/sun/security/provider/certpath/URICertStore.java line 131:
>>
>>> 129: private static final int DEFAULT_CRL_READ_TIMEOUT = 15000;
>>> 130:
>>> 131: // Default connect and read timeouts for CA certificate fetching (15 sec)
>>
>> Does 15 seconds make sense as the default timeout, especially for certs? CRLs are generally larger than certs, so a longer read timeout makes sense.
>>
>> I'm ok with keeping these default values the same for consistency, but I think we should re-evaluate each of these default timeouts and compare them to other products/technologies to see if some adjustments may be needed - can you file a follow-on RFE for that?
>
> Yes, I can make a follow on for that.
Filed https://bugs.openjdk.org/browse/JDK-8308601
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/13762#discussion_r1201306717
More information about the security-dev
mailing list