8179502: Enhance OCSP, CRL and Certificate Fetch Timeouts #2747
Conversation
|
👋 Welcome back abakhtin! A progress list of the required criteria for merging this PR into |
|
❗ This change is not yet ready to be integrated. |
openjdk
bot
changed the title
|
This backport pull request has now been updated with issue from the original commit. |
|
At least one of the issues associated with this backport has a resolved CSR for a different version. As this means that this backport may also need a CSR, the |
openjdk
bot
added
csr
Webrevs
|
|
CSR JDK-8337407 for JDK17 is created |
|
@alexeybakhtin This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration! |
|
Hi @alexeybakhtin Thanks. |
|
Hi @HempushpaSahu. Yes, I will request integration into 17u as soon as it is reviewed here. |
|
Hi @alexeybakhtin, Thanks. |
|
Hello everyone, |
|
Hi, Thanks. |
|
Hi, Thanks. |
|
Hi @jnimeh , Thanks. |
|
Hello @HempushpaSahu. I can review the CSR. I think you need someone who has reviewer status in the jdk-updates project in order to be able to commit this. I only have committer status there. You should be able to find many folks with jdk-updates reviewer status on the OpenJDK census page though. |
|
I would also suggest looking at incorporating JDK-8309740 and JDK-8309754 in follow-on integrations as they pertain to the tests in this PR. |
|
Hi @seanjmullan , |
Thanks @jnimeh for your inputs. |
|
Hi @GoeLin |
|
Hi @GoeLin |
|
Hi @alexeybakhtin, Thanks. |
|
CSR is approved. |
|
|
Hi @GoeLin, you are right. The new "com.sun.security.ocsp.readtimeout" property is set independently of "com.sun.security.crl.timeout". In your case, it will fall back to the default 15s value. It changes current behavior. |
| @@ -72,13 +69,23 @@ public final class OCSP { | |||
| private static final Debug debug = Debug.getInstance("certpath"); | |||
|
|
|||
| private static final int DEFAULT_CONNECT_TIMEOUT = 15000; | |||
| private static final int DEFAULT_READ_TIMEOUT = 15000; | |||
There was a problem hiding this comment.
Hi @alexeybakhtin and @GoeLin,
After e73f8c1, DEFAULT_READ_TIMEOUT is now unused and can be removed.
Apparently, this backward-compatibility problem went undetected in the original change. Please also note that the behavior is no longer aligned with the CSR (emphasis by me):
For all properties, existing and new, the proposed expanded syntax will conform to the following:
- […]
- As with the current behavior, non-numeric, non-decimal (e.g. hexadecimal values prepended by "0x", etc) values will be interpreted as illegal and will default to the 15 second timeout. The same is true for negative values.
com.sun.security.ocsp.readtimeout is now an exceptional case, it won't default to the 15 seconds timeout, but to com.sun.security.ocsp.timeout (which defaults to 15 seconds).
Should the CSR be adjusted? Otherwise, how do we ensure Oracle's backport behaves the same way? I don't have enough backporting experience, is it usually accepted to diverge from newer releases (≥ 21u) in a backport CSR?
There was a problem hiding this comment.
Hi @franferrax
Thank you for the finding. I'll remove DEFAULT_READ_TIMEOUT
You are right, the CSR for update releases should be updated for com.sun.security.ocsp.readtimeout default value. I'll do it and ask you to review it from an engineering point of view.
I hope in this way, without backward compatibility, the patch will be accepted.
There was a problem hiding this comment.
I will take a look, but please note I'm not a Reviewer.
One more comment, I see that the following issues are not part of the backport. Although all of them are test-only changes (mostly tuning the timeout), we might also want to include these to avoid some instability.
- JDK-8309740, openjdk/jdk@5ca4cdd
- JDK-8310629, openjdk/jdk@b20dc1e
- JDK-8325024, openjdk/jdk@432756b
- JDK-8337826, openjdk/jdk@9b11bd7
The last one is an ongoing effort to try to fix JDK-8309754, so we could alternatively wait for that fix and then make all the 5 backports together.
There was a problem hiding this comment.
Backport PRs are created for test fixes
|
Hi @alexeybakhtin , I have tested the four backports mentioned above together, and they have passed successfully. Should we include these tests as part of the PR? |
|
@franferrax , @HempushpaSahu, Thank you!
Backports are clean, so no review is required |
|
Hi @alexeybakhtin, thank you for the additional time and effort put into this! My intention is to help move things faster, because I've been made aware about customers waiting for this. However, as @GoeLin explained, if Oracle doesn't include this backport in 17.0.14, the documentation won't be updated, so we'll need to wait for them to proceed. Apparently, Oracle's reason for not doing the backport is its low priority. Customers are now trying to get it prioritized through Oracle support, but it looks like we won't make it for the 17.0.14 rampdown date (December 3). NOTE: FYI, AFAIK, you can add multiple backports to a pull requiest with the |
|
Hi @franferrax, About |
Hello, I'd like to backport JDK-8179502 to JDK17u to improve the timeout adjustment for OCSP GET requests (which was missed in JDK-8179503).
The backport is almost clean except for the following:
All new and related jtreg tests are passed
Progress
Issues
Reviewers
Reviewing
Using
gitCheckout this PR locally:
$ git fetch https://git.openjdk.org/jdk17u-dev.git pull/2747/head:pull/2747$ git checkout pull/2747Update a local copy of the PR:
$ git checkout pull/2747$ git pull https://git.openjdk.org/jdk17u-dev.git pull/2747/headUsing Skara CLI tools
Checkout this PR locally:
$ git pr checkout 2747View PR using the GUI difftool:
$ git pr show -t 2747Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk17u-dev/pull/2747.diff
Using Webrev
Link to Webrev Comment