Bug ID: JDK-8223310 Configurable read timeout for CRLs

Type: CSR
Component: security-libs
Sub-Component: java.security

Priority: P4
Status: Closed
Resolution: Approved
Fix Versions: 13

Submitted: 2019-05-03
Updated: 2019-06-04
Resolved: 2019-05-09

Summary
-------

Provide a system property for configuring the read timeout for Certificate Revocation Lists (CRLs).

Problem
-------

There is currently no read timeout when downloading CRLs from a URL.  For security and performance reasons, there should be a default timeout and a way for users to configure the timeout.

Solution
--------

Add a system property named "com.sun.security.crl.readtimeout" with a default value of 15 seconds. The name is chosen to be consistent with the existing "com.sun.security.crl.timeout" system property which controls the connection timeout.

Specification
-------------

The `com.sun.security.crl.readtimeout` system property sets the maximum read timeout for CRL retrievals, in seconds. If the property has not been set, or if its value is negative, it is set to the default value of 15 seconds. A value of 0 means an infinite timeout.

This property will be documented in the Release Notes and the PKI Programmer's Guide.

[~alanb] Alan, yes the name was chosen to be consistent with the related com.sun.security.crl.timeout property for the connection timeout (which is documented in the PKI Programmer's Guide). As far as "readtimeout" or "readTimeout", you are right, the latter is probably better though I don't expect this property to be used very often. Let me know if you want it changed.
04-06-2019
If this system property is documented (and I see there is a RN documenting it already) then maybe the name of the system should be re-examined. Is the named com.sun.security.crl.* to be consistent with other properties in this area? Also wondering whether it should be readTimeout rather than readtimeout.
02-06-2019
[~mullan] added myself as a watcher to JDK-8223649; thanks.
13-05-2019
[~darcy] Good suggestion on documenting the system property, but I would rather handle this as a follow-on issue as there are a handful of other related system properties that can be set which affect certificate chain validation, and I think it would be best to document all of these together. It's also a little unclear where in the javadoc they should be documented, so some thought around that is needed as well. I'll file a follow-on issue and link it to this issue. In the meantime, we will document the new property in a release note and the PKI Programmer's Guide.
09-05-2019
Moving to Approved, but please also consider documenting the property with the systemProperty javadoc tag.
09-05-2019