Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8179502

Enhance OCSP, CRL and Certificate Fetch Timeouts

XMLWordPrintable

    • b24
    • generic
    • generic

        A DESCRIPTION OF THE REQUEST :
        The current OCSP implementation of Java has the unit of timeout in seconds. This means that the OCSP client will have to wait for min. 1 sec before timing out the connection. 1 sec is a huge amount of time in modern electronic communications. I request that in the default OCSP the timeout is changed from seconds to miliseconds.

        Below is the problematic code :

        Class : sun.security.provider.certpath.OCSP

        private static final int DEFAULT_CONNECT_TIMEOUT = 15000;
        private static final int CONNECT_TIMEOUT = initializeTimeout();

        private static int initializeTimeout() {
                 Integer tmp = java.security.AccessController.doPrivileged(
                         new GetIntegerAction("com.sun.security.ocsp.timeout"));
                 if (tmp == null || tmp < 0) {
                     return DEFAULT_CONNECT_TIMEOUT;
                 }
                 // Convert to milliseconds, as the system property will be
                 // specified in seconds
                 return tmp * 1000;
        }

        In this we can clearly see that the min non zero value returned from initializeTimeout() method would be 1000 miliseconds (1sec)



        JUSTIFICATION :
        The current OCSP implementation of Java the unit of timeout is seconds. This means that the OCSP client will have to wait for min. 1 sec before timing out the connection. 1 sec is a huge amount of time in modern electronic communications. I request that in the default OCSP the timeout is changed from seconds to miliseconds.

        In addition, two other related enhancements should be made:
        1. Properties that deal with CRL fetching and reading (com.sun.security.crl.timeout and com.sun.security.crl.readtimeout) should also be extended to allow for millisecond granularity.
        2. Properties that fetch certificates based on the AIA extension should have configurable timeouts. This will require two new properties: com.sun.security.cert.timeout and com.sun.security.cert.readtimeout. These will be specified with the same syntax as the properties above (numeric value only interpreted as seconds, a numeric value ending in case-insensitive "ms" to be interpreted in milliseconds). In addition, these property timeouts will only be acted upon when the com.sun.security.enableAIAcaIssuers property is set to true, as this is required for certificate fetching from the AIA extension.



              jnimeh Jamil Nimeh
              webbuggrp Webbug Group
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: