Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8315979

OCSP request throws Connection timeout occasionally

    XMLWordPrintable

Details

    • b04
    • 17
    • generic
    • generic

    Description

      ADDITIONAL SYSTEM INFORMATION :
      Java 17.0.8 tested on both Windows 10 and Debian 12

      A DESCRIPTION OF THE PROBLEM :
      When a certificate is validated using OCSP the request occasionally fails with the message "Unable to determine revocation status due to network error".

      This error happens because a ConnectException is thrown when the OCSP request fails. There is however a discrepancy in how the connection timeout is set, based on how large the OCSP request is.

      If it is smaller than 255 characters no connection timeout is set. Otherwise either the default timeout of 15 seconds or a configurable timeout is set for the connection.

      The change was introduced in https://github.com/openjdk/jdk/commit/f5ee356540d7aa4a7663c0d5d74f5fdb0726b426#diff-905a61d1dae19533a61cb5dd302071479775870df89d3a18e6db2537b007c803

      REGRESSION : Last worked in version 17

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      Validate a certificate using OCSP multiple times in a row. Occasionally the requests will fail with a certificate validation error. The OCSP request has to be smaller than 255 characters to stay in the upper branch of the if-statement in OCSP:getOCSPBytes.

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      All OCSP requests should succeed independent of the OCSP request method (GET or POST) being used (provided the server responds in the specified timeout).
      ACTUAL -
      A ConnectException is thrown if the server does not respond immediately:

      Caused by: java.security.cert.CertPathValidatorException: Unable to determine revocation status due to network error
      at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
      at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:224)
      at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:144)
      at java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:83)
      at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)
      at Main2$1.run(Main2.java:54)
      ... 1 more
      Caused by: java.net.ConnectException: Connection timed out: connect
      at java.base/sun.nio.ch.Net.connect0(Native Method)
      at java.base/sun.nio.ch.Net.connect(Net.java:579)
      at java.base/sun.nio.ch.Net.connect(Net.java:568)
      at java.base/sun.nio.ch.NioSocketImpl.connect(NioSocketImpl.java:593)
      at java.base/java.net.Socket.connect(Socket.java:633)
      at java.base/java.net.Socket.connect(Socket.java:583)
      at java.base/sun.net.NetworkClient.doConnect(NetworkClient.java:183)
      at java.base/sun.net.www.http.HttpClient.openServer(HttpClient.java:533)
      at java.base/sun.net.www.http.HttpClient.openServer(HttpClient.java:638)
      at java.base/sun.net.www.http.HttpClient.<init>(HttpClient.java:281)
      at java.base/sun.net.www.http.HttpClient.New(HttpClient.java:386)
      at java.base/sun.net.www.http.HttpClient.New(HttpClient.java:408)
      at java.base/sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:1309)
      at java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1242)
      at java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1128)
      at java.base/sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:1057)
      at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1665)
      at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1589)
      at java.base/java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:529)
      at java.base/sun.security.provider.certpath.OCSP.getOCSPBytes(OCSP.java:273)
      at java.base/sun.security.provider.certpath.OCSP.check(OCSP.java:195)
      at java.base/sun.security.provider.certpath.RevocationChecker.checkOCSP(RevocationChecker.java:785)
      at java.base/sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:369)
      at java.base/sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:343)
      at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
      ... 6 more

      CUSTOMER SUBMITTED WORKAROUND :
      Use Java 17+3

      FREQUENCY : occasionally


      Attachments

        Issue Links

          duplicates

          Enhancement - null JDK-8179502 Enhance OCSP, CRL and Certificate Fetch Timeouts

          • P4 - Minor loss of function, or other problem where easy workaround is present.
          • Resolved
          relates to

          Enhancement - null JDK-8179503 Java should support GET OCSP calls

          • P3 - Major loss of function.
          • Resolved

          Activity

            People

              jnimeh Jamil Nimeh
              webbuggrp Webbug Group
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: