-
Bug
-
Resolution: Duplicate
-
P3
-
17, 20
-
b04
-
generic
-
generic
ADDITIONAL SYSTEM INFORMATION :
Java 17.0.8 tested on both Windows 10 and Debian 12
A DESCRIPTION OF THE PROBLEM :
When a certificate is validated using OCSP the request occasionally fails with the message "Unable to determine revocation status due to network error".
This error happens because a ConnectException is thrown when the OCSP request fails. There is however a discrepancy in how the connection timeout is set, based on how large the OCSP request is.
If it is smaller than 255 characters no connection timeout is set. Otherwise either the default timeout of 15 seconds or a configurable timeout is set for the connection.
The change was introduced in https://github.com/openjdk/jdk/commit/f5ee356540d7aa4a7663c0d5d74f5fdb0726b426#diff-905a61d1dae19533a61cb5dd302071479775870df89d3a18e6db2537b007c803
REGRESSION : Last worked in version 17
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Validate a certificate using OCSP multiple times in a row. Occasionally the requests will fail with a certificate validation error. The OCSP request has to be smaller than 255 characters to stay in the upper branch of the if-statement in OCSP:getOCSPBytes.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
All OCSP requests should succeed independent of the OCSP request method (GET or POST) being used (provided the server responds in the specified timeout).
ACTUAL -
A ConnectException is thrown if the server does not respond immediately:
Caused by: java.security.cert.CertPathValidatorException: Unable to determine revocation status due to network error
at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:224)
at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:144)
at java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:83)
at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)
at Main2$1.run(Main2.java:54)
... 1 more
Caused by: java.net.ConnectException: Connection timed out: connect
at java.base/sun.nio.ch.Net.connect0(Native Method)
at java.base/sun.nio.ch.Net.connect(Net.java:579)
at java.base/sun.nio.ch.Net.connect(Net.java:568)
at java.base/sun.nio.ch.NioSocketImpl.connect(NioSocketImpl.java:593)
at java.base/java.net.Socket.connect(Socket.java:633)
at java.base/java.net.Socket.connect(Socket.java:583)
at java.base/sun.net.NetworkClient.doConnect(NetworkClient.java:183)
at java.base/sun.net.www.http.HttpClient.openServer(HttpClient.java:533)
at java.base/sun.net.www.http.HttpClient.openServer(HttpClient.java:638)
at java.base/sun.net.www.http.HttpClient.<init>(HttpClient.java:281)
at java.base/sun.net.www.http.HttpClient.New(HttpClient.java:386)
at java.base/sun.net.www.http.HttpClient.New(HttpClient.java:408)
at java.base/sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:1309)
at java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1242)
at java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1128)
at java.base/sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:1057)
at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1665)
at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1589)
at java.base/java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:529)
at java.base/sun.security.provider.certpath.OCSP.getOCSPBytes(OCSP.java:273)
at java.base/sun.security.provider.certpath.OCSP.check(OCSP.java:195)
at java.base/sun.security.provider.certpath.RevocationChecker.checkOCSP(RevocationChecker.java:785)
at java.base/sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:369)
at java.base/sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:343)
at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
... 6 more
CUSTOMER SUBMITTED WORKAROUND :
Use Java 17+3
FREQUENCY : occasionally
Java 17.0.8 tested on both Windows 10 and Debian 12
A DESCRIPTION OF THE PROBLEM :
When a certificate is validated using OCSP the request occasionally fails with the message "Unable to determine revocation status due to network error".
This error happens because a ConnectException is thrown when the OCSP request fails. There is however a discrepancy in how the connection timeout is set, based on how large the OCSP request is.
If it is smaller than 255 characters no connection timeout is set. Otherwise either the default timeout of 15 seconds or a configurable timeout is set for the connection.
The change was introduced in https://github.com/openjdk/jdk/commit/f5ee356540d7aa4a7663c0d5d74f5fdb0726b426#diff-905a61d1dae19533a61cb5dd302071479775870df89d3a18e6db2537b007c803
REGRESSION : Last worked in version 17
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Validate a certificate using OCSP multiple times in a row. Occasionally the requests will fail with a certificate validation error. The OCSP request has to be smaller than 255 characters to stay in the upper branch of the if-statement in OCSP:getOCSPBytes.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
All OCSP requests should succeed independent of the OCSP request method (GET or POST) being used (provided the server responds in the specified timeout).
ACTUAL -
A ConnectException is thrown if the server does not respond immediately:
Caused by: java.security.cert.CertPathValidatorException: Unable to determine revocation status due to network error
at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:224)
at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:144)
at java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:83)
at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)
at Main2$1.run(Main2.java:54)
... 1 more
Caused by: java.net.ConnectException: Connection timed out: connect
at java.base/sun.nio.ch.Net.connect0(Native Method)
at java.base/sun.nio.ch.Net.connect(Net.java:579)
at java.base/sun.nio.ch.Net.connect(Net.java:568)
at java.base/sun.nio.ch.NioSocketImpl.connect(NioSocketImpl.java:593)
at java.base/java.net.Socket.connect(Socket.java:633)
at java.base/java.net.Socket.connect(Socket.java:583)
at java.base/sun.net.NetworkClient.doConnect(NetworkClient.java:183)
at java.base/sun.net.www.http.HttpClient.openServer(HttpClient.java:533)
at java.base/sun.net.www.http.HttpClient.openServer(HttpClient.java:638)
at java.base/sun.net.www.http.HttpClient.<init>(HttpClient.java:281)
at java.base/sun.net.www.http.HttpClient.New(HttpClient.java:386)
at java.base/sun.net.www.http.HttpClient.New(HttpClient.java:408)
at java.base/sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:1309)
at java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1242)
at java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1128)
at java.base/sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:1057)
at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1665)
at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1589)
at java.base/java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:529)
at java.base/sun.security.provider.certpath.OCSP.getOCSPBytes(OCSP.java:273)
at java.base/sun.security.provider.certpath.OCSP.check(OCSP.java:195)
at java.base/sun.security.provider.certpath.RevocationChecker.checkOCSP(RevocationChecker.java:785)
at java.base/sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:369)
at java.base/sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:343)
at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
... 6 more
CUSTOMER SUBMITTED WORKAROUND :
Use Java 17+3
FREQUENCY : occasionally
- duplicates
-
JDK-8179502 Enhance OCSP, CRL and Certificate Fetch Timeouts
-
- Resolved
-
- relates to
-
-
- Resolved
-