Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8179502 Enhance OCSP, CRL and Certificate Fetch Timeouts
  3. JDK-8308582

Release Note: Enhanced OCSP, Certificate, and CRL Fetch Timeouts

    XMLWordPrintable

Details

    Description

      This feature delivers an enhanced syntax for properties related to certificate, CRL, and OCSP connect and read timeouts. The new syntax allows the timeout values to be specified either in seconds or milliseconds. This feature also delivers three new System properties related to connect and read timeouts.

      *New properties*: The existing `com.sun.security.ocsp.timeout` property will now be paired with the new `com.sun.security.ocsp.readtimeout` property. The former property will be used to set timeouts for the transport-layer connection while the latter will be used to manage timeouts for reading the data.
      The new `com.sun.security.cert.timeout` and `com.sun.security.cert.readtimeout` properties will be used to control connect and read timeouts, respectively, when following an X.509 certificate's AuthorityInfoAccess extension. For the certificate fetching properties, the `com.sun.security.enableAIAcaIssuers` property must be set to `true` in order for fetching to occur and these property timeouts to be enabled.

      *Enhanced timeout syntax*: The new syntax applies to the aforementioned properties, and also to the `com.sun.security.crl.timeout` and `com.sun.security.crl.readtimeout` properties as well. The allowed syntax is as follows:

       - A decimal integer will be interpreted in seconds and ensures backward compatibility.
       - A decimal integer ending in "s" (case-insensitive, no space) appended to it. This will also be interpreted in seconds.
       - A decimal integer value with "ms" (case-insensitive, no space) appended to it. This will be interpreted as milliseconds. For example, a value of "2500ms" will be a 2.5 second timeout.
       - Negative, non-numeric, or non-decimal (for example, hexadecimal values prepended by "0x") values will be interpreted as illegal and will default to the 15 second timeout.
       - Whether the value is interpreted in seconds or milliseconds, a value of zero will disable the timeout.

      Attachments

        Activity

          People

            jnimeh Jamil Nimeh
            jnimeh Jamil Nimeh
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: