On Tue, 9 May 2023 15:55:24 GMT, Jamil Nimeh <jni...@openjdk.org> wrote:
>> src/java.base/share/classes/sun/security/provider/certpath/OCSP.java line 1: >> >>> 1: /* >> >> I see there is no way to individually control the OCSP read and connect >> timeouts like there is for certs and CRLs. Perhaps this isn't as big an >> issue, but when you set the OCSP timeout, it really means 2x what you set. > > Yes, I noticed that too. I wasn't sure if we needed to make a change there. > I opted to leave well-enough alone since nobody was asking for it and it's > one less property to keep track of. All of these property sets end up with a > max latency of connect-timeout + read-timeout, and by default they are set to > the same values. So in practice much of the time they are all 2x. > > It's easy enough I think to make a separate property for > `com.sun.security.ocsp.readtimeout` and then the existing `.timeout` property > would be for connect timeouts (keeping in line with the other props). I > don't think it will introduce significant risk but I will highlight that in > the CSR. > I think you should also apply the cert and CRL timeouts to the > `LDAPCertStore` implementation, using the JNDI properties: > `com.sun.jndi.ldap.connect.timeout` and `com.sun.jndi.ldap.read.timeout`. I will look into this. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/13762#discussion_r1188817169
