jdk17u-dev
jdk17u-dev copied to clipboard
openjdk
8179502: Enhance OCSP, CRL and Certificate Fetch Timeouts
Hello, I'd like to backport JDK-8179502 to JDK17u to improve the timeout adjustment for OCSP GET requests (which was missed in JDK-8179503).
The backport is almost clean except for the following:
- OCSP.java was merged manually because of JDK-8328638 and JDK-8329213 is already backported into 17u-dev
- copyright year in GetPropertyAction.java and URICertStore.java files are updated manually
- CRLReadTimeout.java test is updated manually because of the different notation of internal X509CRLImpl and CRLExtensions classes.
All new and related jtreg tests are passed
Progress
- [ ] Change must be properly reviewed (1 review required, with at least 1 Reviewer)
- [x] Change must not contain extraneous whitespace
- [x] Commit message must refer to an issue
- [ ] Change requires CSR request JDK-8337407 to be approved
- [ ] JDK-8179502 needs maintainer approval
Issues
- JDK-8179502: Enhance OCSP, CRL and Certificate Fetch Timeouts (Enhancement - P4)
- JDK-8337407: Enhance OCSP, CRL and Certificate Fetch Timeouts (CSR)
Reviewing
Using git
Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk17u-dev.git pull/2747/head:pull/2747
$ git checkout pull/2747
Update a local copy of the PR:
$ git checkout pull/2747
$ git pull https://git.openjdk.org/jdk17u-dev.git pull/2747/head
Using Skara CLI tools
Checkout this PR locally:
$ git pr checkout 2747
View PR using the GUI difftool:
$ git pr show -t 2747
Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk17u-dev/pull/2747.diff
Webrev
:wave: Welcome back abakhtin! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.
![bridgekeeper[bot] avatar](https://avatars.githubusercontent.com/u/41768318?v=4 "Published by a pub.dev verified publisher"){kind=small}
@alexeybakhtin This change now passes all automated pre-integration checks.
ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.
After integration, the commit message for the final commit will be:
8179502: Enhance OCSP, CRL and Certificate Fetch Timeouts
Reviewed-by: yan
You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.
At the time when this comment was updated there had been 466 new commits pushed to the master branch:
- df6014ef96bf90ac738fff87bafe30167eaea365: 8346887: DrawFocusRect() may cause an assertion failure
- 72bdddece423d94cec4dae8f346ef6d688c3a1b8: 8342508: Use latch in BasicMenuUI/bug4983388.java instead of delay
- 032d1ae4e048f41305a79dea4c8a89889e02203a: 8342498: Add test for Allocation elimination after use as alignment reference by SuperWord
- 77ce00491af29399e5363a96a9ec7735aca685f4: 8333403: Write a test to check various components events are triggered properly
- 19345adcf708f74c89d44a3df60ba72a4692ae34: 8340687: Open source closed frame tests #1
- eede9d3886316f222ebdd8bb0b220de2eddd9662: 8324807: Manual printer tests have no Pass/Fail buttons, instructions close set 2
- 88c1aa2bd72c105728e0085421fb60c3e1d236a7: 8325529: Remove unused imports from
ModuleGeneratortest file - 89202960f3e4c58b56a300ca43e2b18eaefc5e7b: 8328819: Remove applet usage from JFileChooser tests bug6698013
- 24c1243b7c19be910c2fb2790441065a8b83e701: 8312416: Tests in Locale should have more descriptive names
- 024669637577b82ee15f7822458a77312a68f3d9: 8305853: java/text/Format/DateFormat/DateFormatRegression.java fails with "Uncaught exception thrown in test method Test4089106"
- ... and 456 more: https://git.openjdk.org/jdk17u-dev/compare/77cb961ce0573c9c1057d51556784ea43a71ba53...master
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.
➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.
At least one of the issues associated with this backport has a resolved CSR for a different version. As this means that this backport may also need a CSR, the csr label is being added to this pull request to signal this potential requirement. The command /csr unneeded can be used to remove the label in case a CSR is not needed.
@alexeybakhtin This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!
Hi @alexeybakhtin Is there any plan to merge this PR anytime soon?
Thanks.
Hi @HempushpaSahu. Yes, I will request integration into 17u as soon as it is reviewed here.
Hi @alexeybakhtin, I noticed from JDK-8337407 issue, jnimeh is the reviewer. Could you please confirm whether the review is currently in progress? Also, is it possible to assign an additional reviewer if one is available?
Thanks.
Hello everyone, Could you please review the backport? I want to backport it for parity with Oracle.
Hi, Since there is multiple follow-ups for this PR and customer is awaiting the fix, could someone please provide an update on the review status?
Thanks.
Hi @jnimeh , Could you please assist with reviewing the PR or if you are occupied with other tasks please tag the appropriate person who can help us to review? The customer is waiting for the fix. Once this backport is merged, they will be able to move forward.
Thanks.
Hello @HempushpaSahu. I can review the CSR. I think you need someone who has reviewer status in the jdk-updates project in order to be able to commit this. I only have committer status there. You should be able to find many folks with jdk-updates reviewer status on the OpenJDK census page though.
I would also suggest looking at incorporating JDK-8309740 and JDK-8309754 in follow-on integrations as they pertain to the tests in this PR.
Hello @HempushpaSahu. I can review the CSR. I think you need someone who has reviewer status in the jdk-updates project in order to be able to commit this. I only have committer status there. You should be able to find many folks with jdk-updates reviewer status on the OpenJDK census page though.
Thanks @jnimeh for your inputs.
Hi @GoeLin Could you please help to review this PR or tag the appropriate person who can help us to review? Thanks.
Hi @alexeybakhtin, JDK-8337407 issue has some activity in last week. Could you please confirm whether the review is currently in progress?
Thanks.
⚠️ @alexeybakhtin This change is now ready for you to apply for maintainer approval. This can be done directly in each associated issue or by using the /approval command.
Pasting @GoeLin's question from #2754 here:
What happens if someone has set com.sun.security.crl.timeout and installs the update. Will that value be taken over to com.sun.security.ocsp.readtimeout, or will that fall back to 15s?
Pasting @GoeLin's question from #2754 here:
What happens if someone has set com.sun.security.crl.timeout and installs the update. Will that value be taken over to com.sun.security.ocsp.readtimeout, or will that fall back to 15s?
Hi @GoeLin, you are right. The new "com.sun.security.ocsp.readtimeout" property is set independently of "com.sun.security.crl.timeout". In your case, it will fall back to the default 15s value. It changes current behavior. I can update this logic to change the default read timeout to the "com.sun.security.crl.timeout" value.
Hi @alexeybakhtin , I have tested the four backports mentioned above together, and they have passed successfully. Should we include these tests as part of the PR? Thanks.
@franferrax , @HempushpaSahu, Thank you! I do not think it is possible to add other bug fixes to this PR, so I submitted dependent backport PRs for the mentioned test fixes:
- JDK-8309740, https://github.com/openjdk/jdk/commit/5ca4cdd2caceba9dad8025e5a8851740a3961921
- JDK-8310629, https://github.com/openjdk/jdk/commit/b20dc1e9cda1ea3a76b3f14c778c6816e5cc1c0c
- JDK-8325024, https://github.com/openjdk/jdk/commit/432756b6e51c903e2bff8b9c3028a4f2ea8973f4
- JDK-8337826, https://github.com/openjdk/jdk/commit/9b11bd7f4a511ddadf9f02e82aab6ba78beb6763
Backports are clean, so no review is required
Hi @alexeybakhtin, thank you for the additional time and effort put into this! My intention is to help move things faster, because I've been made aware about customers waiting for this.
However, as @GoeLin explained, if Oracle doesn't include this backport in 17.0.14, the documentation won't be updated, so we'll need to wait for them to proceed. Apparently, Oracle's reason for not doing the backport is its low priority. Customers are now trying to get it prioritized through Oracle support, but it looks like we won't make it for the 17.0.14 rampdown date (December 3).
NOTE: FYI, AFAIK, you can add multiple backports to a pull requiest with the /issue add <id>[,<id>,...] command.
Hi @franferrax, Thank you for your support. We also have customers who are waiting for this enhancement.
About /issue command - I do not like this approach much. It will bring a much more difference between the backport and the original fix. Right now, all test fixes are applied cleanly. But, if it would help to integrate this enhancement, I can combine all follow-up backports into this one.
@alexeybakhtin This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!