United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-8011313 OCSP timeout set to wrong value if com.sun.security.ocsp.timeout not defined
JDK-8011313 : OCSP timeout set to wrong value if com.sun.security.ocsp.timeout not defined

Details
Type:
Bug
Submit Date:
2013-04-02
Status:
Closed
Updated Date:
2013-12-17
Project Name:
JDK
Resolved Date:
2013-04-25
Component:
security-libs
OS:
Sub-Component:
java.security
CPU:
Priority:
P3
Resolution:
Fixed
Affected Versions:
8
Fixed Versions:

Related Reports
Backport:
Backport:
Backport:
Backport:
Relates:
Relates:

Sub Tasks

Description
 int tmp = java.security.AccessController.doPrivileged(
+                new GetIntegerAction("com.sun.security.ocsp.timeout",
+                                     DEFAULT_CONNECT_TIMEOUT));
+        if (tmp < 0) {
+           return DEFAULT_CONNECT_TIMEOUT;
+        }
+        // Convert to milliseconds, as the system property will be
+        // specified in seconds
+        return tmp * 1000;

This would still fail and set timeout to 4 hours if "com.sun.security.ocsp.timeout" is not defined.

Since GetIntegerAction is used with default value, if the property is not defined then tmp will be set to DEFAULT_CONNECT_TIMEOUT of 15000 and method will return 15000 * 1000.

Suggestion would be to change DEFAULT_CONNECT_TIMEOUT to be in seconds instead of milliseconds. This would be consistent with the timeout property value.
                                    

Comments
This would be very common as most of the times "com.sun.security.ocsp.timeout" property will not be defined by programmers.
                                     
2013-04-02
run() method of GetIntegerAction returns the Integer object. Code should use .intValue() to get int tmp.
                                     
2013-04-02
URL:   http://hg.openjdk.java.net/jdk8/deploy/jdk/rev/78d08fc2dd12
User:  mullan
Date:  2013-04-25 15:52:44 +0000

                                     
2013-04-25
Cover the tmp == null || tmp < 0 ,The code look good
                                     
2013-04-26
SQE ok.
                                     
2013-04-29
URL:   http://hg.openjdk.java.net/jdk8/jdk8/jdk/rev/78d08fc2dd12
User:  ngthomas
Date:  2013-05-01 04:51:19 +0000

                                     
2013-05-01



Hardware and Software, Engineered to Work Together