JDK-8315979 : OCSP request throws Connection timeout occasionally
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 17,20
  • Priority: P3
  • Status: Resolved
  • Resolution: Duplicate
  • OS: generic
  • CPU: generic
  • Submitted: 2023-09-10
  • Updated: 2023-10-09
  • Resolved: 2023-09-11
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 21
21Resolved
Related Reports
Duplicate :  
JDK-8179502 - Enhance OCSP, CRL and Certificate Fetch Timeouts
Relates :  
JDK-8179503 - Java should support GET OCSP calls
Description
ADDITIONAL SYSTEM INFORMATION :
Java 17.0.8 tested on both Windows 10 and Debian 12

A DESCRIPTION OF THE PROBLEM :
When a certificate is validated using OCSP the request occasionally fails with the message "Unable to determine revocation status due to network error".

This error happens because a ConnectException is thrown when the OCSP request fails. There is however a discrepancy in how the connection timeout is set, based on how large the OCSP request is.

If it is smaller than 255 characters no connection timeout is set. Otherwise either the default timeout of 15 seconds or a configurable timeout is set for the connection.

The change was introduced in https://github.com/openjdk/jdk/commit/f5ee356540d7aa4a7663c0d5d74f5fdb0726b426#diff-905a61d1dae19533a61cb5dd302071479775870df89d3a18e6db2537b007c803 

REGRESSION : Last worked in version 17

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Validate a certificate using OCSP multiple times in a row. Occasionally the requests will fail with a certificate validation error. The OCSP request has to be smaller than 255 characters to stay in the upper branch of the if-statement in OCSP:getOCSPBytes.

EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
All OCSP requests should succeed independent of the OCSP request method (GET or POST) being used (provided the server responds in the specified timeout).
ACTUAL -
A ConnectException is thrown if the server does not respond immediately:

Caused by: java.security.cert.CertPathValidatorException: Unable to determine revocation status due to network error
	at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
	at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:224)
	at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:144)
	at java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:83)
	at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)
	at Main2$1.run(Main2.java:54)
	... 1 more
Caused by: java.net.ConnectException: Connection timed out: connect
	at java.base/sun.nio.ch.Net.connect0(Native Method)
	at java.base/sun.nio.ch.Net.connect(Net.java:579)
	at java.base/sun.nio.ch.Net.connect(Net.java:568)
	at java.base/sun.nio.ch.NioSocketImpl.connect(NioSocketImpl.java:593)
	at java.base/java.net.Socket.connect(Socket.java:633)
	at java.base/java.net.Socket.connect(Socket.java:583)
	at java.base/sun.net.NetworkClient.doConnect(NetworkClient.java:183)
	at java.base/sun.net.www.http.HttpClient.openServer(HttpClient.java:533)
	at java.base/sun.net.www.http.HttpClient.openServer(HttpClient.java:638)
	at java.base/sun.net.www.http.HttpClient.<init>(HttpClient.java:281)
	at java.base/sun.net.www.http.HttpClient.New(HttpClient.java:386)
	at java.base/sun.net.www.http.HttpClient.New(HttpClient.java:408)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:1309)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1242)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1128)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:1057)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1665)
	at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1589)
	at java.base/java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:529)
	at java.base/sun.security.provider.certpath.OCSP.getOCSPBytes(OCSP.java:273)
	at java.base/sun.security.provider.certpath.OCSP.check(OCSP.java:195)
	at java.base/sun.security.provider.certpath.RevocationChecker.checkOCSP(RevocationChecker.java:785)
	at java.base/sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:369)
	at java.base/sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:343)
	at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
	... 6 more

CUSTOMER SUBMITTED WORKAROUND :
Use Java 17+3

FREQUENCY : occasionally
Comments
Closing as a duplicate of JDK-8179502.
11-09-2023
[~mullan] Actually I discovered and fixed this timeout discrepancy as part of the implementation for JDK-8179502. With that change both GET and POST requests share the same timeout characteristics. https://github.com/openjdk/jdk/commit/2836c34b64e4626e25c86a53e5bef2bf32f95d2e Also, I'm changing the affects version as it includes versions that are likely not affected by this issue. OCSP GET support does not exist in jdk8u or jdk11u, and the fix that matches the timeout behaviors between GET and POST went into JDK 21. So it seems like 17 and 20 are the only versions that would see this issue (from those cited in the Affects Version).
11-09-2023
It looks like the problem was introduced in JDK 17 ea+4.
11-09-2023