JDK-8011313 : OCSP timeout set to wrong value if com.sun.security.ocsp.timeout not defined
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 8
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2013-04-02
  • Updated: 2013-12-17
  • Resolved: 2013-04-25
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
7u25Resolved 8 b88Fixed
Related Reports
Relates :  
Relates :  
 int tmp = java.security.AccessController.doPrivileged(
+                new GetIntegerAction("com.sun.security.ocsp.timeout",
+                                     DEFAULT_CONNECT_TIMEOUT));
+        if (tmp < 0) {
+           return DEFAULT_CONNECT_TIMEOUT;
+        }
+        // Convert to milliseconds, as the system property will be
+        // specified in seconds
+        return tmp * 1000;

This would still fail and set timeout to 4 hours if "com.sun.security.ocsp.timeout" is not defined.

Since GetIntegerAction is used with default value, if the property is not defined then tmp will be set to DEFAULT_CONNECT_TIMEOUT of 15000 and method will return 15000 * 1000.

Suggestion would be to change DEFAULT_CONNECT_TIMEOUT to be in seconds instead of milliseconds. This would be consistent with the timeout property value.
SQE ok.

Cover the tmp == null || tmp < 0 ,The code look good

run() method of GetIntegerAction returns the Integer object. Code should use .intValue() to get int tmp.

This would be very common as most of the times "com.sun.security.ocsp.timeout" property will not be defined by programmers.