-
Enhancement
-
Resolution: Fixed
-
P4
-
8, 9
-
b24
-
generic
-
generic
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8338808 | 17-pool-oracle | Nibedita Jena | P4 | Open | Unresolved | |
JDK-8337406 | 17-pool | Alexey Bakhtin | P4 | New | Unresolved |
The current OCSP implementation of Java has the unit of timeout in seconds. This means that the OCSP client will have to wait for min. 1 sec before timing out the connection. 1 sec is a huge amount of time in modern electronic communications. I request that in the default OCSP the timeout is changed from seconds to miliseconds.
Below is the problematic code :
Class : sun.security.provider.certpath.OCSP
private static final int DEFAULT_CONNECT_TIMEOUT = 15000;
private static final int CONNECT_TIMEOUT = initializeTimeout();
private static int initializeTimeout() {
Integer tmp = java.security.AccessController.doPrivileged(
new GetIntegerAction("com.sun.security.ocsp.timeout"));
if (tmp == null || tmp < 0) {
return DEFAULT_CONNECT_TIMEOUT;
}
// Convert to milliseconds, as the system property will be
// specified in seconds
return tmp * 1000;
}
In this we can clearly see that the min non zero value returned from initializeTimeout() method would be 1000 miliseconds (1sec)
JUSTIFICATION :
The current OCSP implementation of Java the unit of timeout is seconds. This means that the OCSP client will have to wait for min. 1 sec before timing out the connection. 1 sec is a huge amount of time in modern electronic communications. I request that in the default OCSP the timeout is changed from seconds to miliseconds.
In addition, two other related enhancements should be made:
1. Properties that deal with CRL fetching and reading (com.sun.security.crl.timeout and com.sun.security.crl.readtimeout) should also be extended to allow for millisecond granularity.
2. Properties that fetch certificates based on the AIA extension should have configurable timeouts. This will require two new properties: com.sun.security.cert.timeout and com.sun.security.cert.readtimeout. These will be specified with the same syntax as the properties above (numeric value only interpreted as seconds, a numeric value ending in case-insensitive "ms" to be interpreted in milliseconds). In addition, these property timeouts will only be acted upon when the com.sun.security.enableAIAcaIssuers property is set to true, as this is required for certificate fetching from the AIA extension.
- backported by
-
JDK-8338808 Enhance OCSP, CRL and Certificate Fetch Timeouts
- Open
-
JDK-8337406 Enhance OCSP, CRL and Certificate Fetch Timeouts
- New
- csr for
-
JDK-8300722 Enhance OCSP, CRL and Certificate Fetch Timeouts
- Closed
- duplicates
-
JDK-8300812 Configurable connect and read timeouts for Certificates
- Closed
-
JDK-8315979 OCSP request throws Connection timeout occasionally
- Closed
- relates to
-
JDK-8309740 Expand timeout windows for tests in JDK-8179502
- Resolved
-
JDK-8308601 Review and adjust Certificate, CRL and OCSP path validation fetch timeout defaults
- Open
-
JDK-8309754 java/security/cert/CertPathValidator/OCSP/OCSPTimeout.java failed with "Expected to pass, found 1 soft fail exceptions"
- Open
-
JDK-8337826 Improve logging in OCSPTimeout and SimpleOCSPResponder to help diagnose JDK-8309754
- Resolved
- links to
-
Commit openjdk/jdk/2836c34b
-
Review openjdk/jdk/13762
-
Review(master) openjdk/jdk17u-dev/2747
-
Review(master) openjdk/jdk17u-dev/2754