JDK-8191808 : Configurable read timeout for CRLs
- Type: Enhancement
- Component: security-libs
- Sub-Component: java.security
- Affected Version: 8,9
- Priority: P4
- Status: Resolved
- Resolution: Delivered
- Submitted: 2017-11-21
- Updated: 2019-05-16
- Resolved: 2019-05-09
The Version table provides details related to the release that this issue/RFE will be addressed.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.
To download the current JDK release, click here.
| JDK 13 |
|---|
13 b21Resolved  |
Related Reports
|
CSR :
|
|
|
Duplicate :
|
Sub Tasks
|
JDK-8223648 :
|
|
|
JDK-8223649 :
|
Description
A DESCRIPTION OF THE REQUEST : The URICertStore does not set a read timeout. This allows a misbehaving CRL to block a connection on CRL checking. This should be limited in the same way the connection timeout is limited to 15 seconds. This may be forced globally by setting the sun.net.client.defaultReadTimeout, but this has global scope. A 15 second read timeout also seems reasonable. Alternatively, a new property com.sun.security.crl.readtimeout may be added to specifically target the read timeout on a CRL check. JUSTIFICATION : A CRL check should not be able to block, or hold the resources the flow of critical code for a long period of time. This could negatively affect a service. EXPECTED VERSUS ACTUAL BEHAVIOR : EXPECTED - A default read timeout of 15 seconds should be applied with an optional property com.sun.security.crl.readtimeout being introduced to set the timeout specifically for the purpose of CRL checking. ACTUAL - The current implementation allows a misbehaving CRL to indefinitely block a connection. ---------- BEGIN SOURCE ---------- Full PoC available upon request. ---------- END SOURCE ---------- CUSTOMER SUBMITTED WORKAROUND : Execute the Java application with -Dsun.net.client.defaultReadTimeout=15000