JDK-8011313 : OCSP timeout set to wrong value if com.sun.security.ocsp.timeout not defined
- Type: Bug
- Component: security-libs
- Sub-Component: java.security
- Affected Version: 8
- Priority: P3
- Status: Closed
- Resolution: Fixed
- Submitted: 2013-04-02
- Updated: 2013-12-17
- Resolved: 2013-04-25
The Version table provides details related to the release that this issue/RFE will be addressed.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
| JDK 7 | JDK 8 |
|---|---|
7u25Resolved  |
8 b88Fixed |
Related Reports
|
Relates :
|
|
|
Relates :
|
Description
int tmp = java.security.AccessController.doPrivileged(
+ new GetIntegerAction("com.sun.security.ocsp.timeout",
+ DEFAULT_CONNECT_TIMEOUT));
+ if (tmp < 0) {
+ return DEFAULT_CONNECT_TIMEOUT;
+ }
+ // Convert to milliseconds, as the system property will be
+ // specified in seconds
+ return tmp * 1000;
This would still fail and set timeout to 4 hours if "com.sun.security.ocsp.timeout" is not defined.
Since GetIntegerAction is used with default value, if the property is not defined then tmp will be set to DEFAULT_CONNECT_TIMEOUT of 15000 and method will return 15000 * 1000.
Suggestion would be to change DEFAULT_CONNECT_TIMEOUT to be in seconds instead of milliseconds. This would be consistent with the timeout property value.
Comments
|