Re: RFR: 8179502: Enhance OCSP, CRL and Certificate Fetch Timeouts [v4]

Mon, 22 May 2023 10:38:54 -0700 

On Mon, 22 May 2023 16:59:15 GMT, Jamil Nimeh <jni...@openjdk.org> wrote:

>> This set of enhancements extends the allowed syntax for the 
>> `com.sun.security.ocsp.timeout`, `com.sun.security.crl.timeout` and 
>> `com.sun.security.crl.readtimeout` System properties.  These properties 
>> retain their current behavior where a purely numeric value is interpreted in 
>> seconds, but now the numeric value may also be appended with "ms" 
>> (case-insensitive) to be interpreted as milliseconds.
>> 
>> This enhancement also adds two new System properties: 
>> `com.sun.security.cert.timeout` and `com.sun.security.cert.readtimeout` 
>> which follow the same new allowed syntax.  These timeouts only come into 
>> play when an AIA extension on a certificate is followed for pulling the 
>> issuing authority certificate and only when the 
>> `com.sun.security.enableAIAcaIssuers` property is true (default false).
>> 
>> JBS: https://bugs.openjdk.org/browse/JDK-8179502
>> CSR: https://bugs.openjdk.org/browse/JDK-8300722
>
> Jamil Nimeh has updated the pull request incrementally with one additional 
> commit since the last revision:
> 
>   Use privilegedGetProperty, catch NFE following string match

src/java.base/share/classes/sun/security/action/GetPropertyAction.java line 211:

> 209:                             " for timeout value " + propVal +
> 210:                             ". Using default value of " + def + " 
> msec.");
> 211:                 }

This would also be useful debug for the else case on line 214-216 if the value 
is not an integer.

src/java.base/share/classes/sun/security/provider/certpath/URICertStore.java 
line 131:

> 129:     private static final int DEFAULT_CRL_READ_TIMEOUT = 15000;
> 130: 
> 131:     // Default connect and read timeouts for CA certificate fetching (15 
> sec)

Does 15 seconds make sense as the default timeout, especially for certs? CRLs 
are generally larger than certs, so a longer read timeout makes sense.

I'm ok with keeping these default values the same for consistency, but I think 
we should re-evaluate each of these default timeouts and compare them to other 
products/technologies to see if some adjustments may be needed - can you file a 
follow-on RFE for that?

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/13762#discussion_r1200805069
PR Review Comment: https://git.openjdk.org/jdk/pull/13762#discussion_r1200812030

Reply via email to