-
Enhancement
-
Resolution: Fixed
-
P4
-
8, 9
-
b24
-
generic
-
generic
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8337406 | 17-pool | Alexey Bakhtin | P4 | New | Unresolved | |
| JDK-8338808 | 17.0.15-oracle | Nibedita Jena | P4 | Open | Unresolved |
The current OCSP implementation of Java has the unit of timeout in seconds. This means that the OCSP client will have to wait for min. 1 sec before timing out the connection. 1 sec is a huge amount of time in modern electronic communications. I request that in the default OCSP the timeout is changed from seconds to miliseconds.
Below is the problematic code :
Class : sun.security.provider.certpath.OCSP
private static final int DEFAULT_CONNECT_TIMEOUT = 15000;
private static final int CONNECT_TIMEOUT = initializeTimeout();
private static int initializeTimeout() {
Integer tmp = java.security.AccessController.doPrivileged(
new GetIntegerAction("com.sun.security.ocsp.timeout"));
if (tmp == null || tmp < 0) {
return DEFAULT_CONNECT_TIMEOUT;
}
// Convert to milliseconds, as the system property will be
// specified in seconds
return tmp * 1000;
}
In this we can clearly see that the min non zero value returned from initializeTimeout() method would be 1000 miliseconds (1sec)
JUSTIFICATION :
The current OCSP implementation of Java the unit of timeout is seconds. This means that the OCSP client will have to wait for min. 1 sec before timing out the connection. 1 sec is a huge amount of time in modern electronic communications. I request that in the default OCSP the timeout is changed from seconds to miliseconds.
In addition, two other related enhancements should be made:
1. Properties that deal with CRL fetching and reading (com.sun.security.crl.timeout and com.sun.security.crl.readtimeout) should also be extended to allow for millisecond granularity.
2. Properties that fetch certificates based on the AIA extension should have configurable timeouts. This will require two new properties: com.sun.security.cert.timeout and com.sun.security.cert.readtimeout. These will be specified with the same syntax as the properties above (numeric value only interpreted as seconds, a numeric value ending in case-insensitive "ms" to be interpreted in milliseconds). In addition, these property timeouts will only be acted upon when the com.sun.security.enableAIAcaIssuers property is set to true, as this is required for certificate fetching from the AIA extension.
- backported by
-
JDK-8338808 Enhance OCSP, CRL and Certificate Fetch Timeouts
-
- Open
-
-
-
- New
-
- csr for
-
JDK-8300722 Enhance OCSP, CRL and Certificate Fetch Timeouts
-
- Closed
-
- duplicates
-
-
- Closed
-
-
JDK-8315979 OCSP request throws Connection timeout occasionally
-
- Closed
-
- relates to
-
-
- Resolved
-
-
-
- Open
-
-
-
- Open
-
-
-
- Resolved
-
- links to
-
Commit
openjdk/jdk/2836c34b
-
Review
openjdk/jdk/13762
-
Review(master)
openjdk/jdk17u-dev/2747
-
Review(master)
openjdk/jdk17u-dev/2754