8179502: Enhance OCSP, CRL and Certificate Fetch Timeouts

[alexeybakhtin]

Hello, I'd like to backport JDK-8179502 to JDK17u to improve the timeout adjustment for OCSP GET requests (which was missed in JDK-8179503).

The backport is almost clean except for the following:

• OCSP.java was merged manually because of JDK-8328638 and JDK-8329213 is already backported into 17u-dev
• copyright year in GetPropertyAction.java and URICertStore.java files are updated manually
• CRLReadTimeout.java test is updated manually because of the different notation of internal X509CRLImpl and CRLExtensions classes.

All new and related jtreg tests are passed

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• Change requires CSR request JDK-8337407 to be approved
• JDK-8179502 needs maintainer approval

Issues

• JDK-8179502: Enhance OCSP, CRL and Certificate Fetch Timeouts (Enhancement - P4 - Approved)
• JDK-8337407: Enhance OCSP, CRL and Certificate Fetch Timeouts (CSR)

Reviewers

• Yuri Nesterenko (@yan-too - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk17u-dev.git pull/2747/head:pull/2747
$ git checkout pull/2747

Update a local copy of the PR:
$ git checkout pull/2747
$ git pull https://git.openjdk.org/jdk17u-dev.git pull/2747/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 2747

View PR using the GUI difftool:
$ git pr show -t 2747

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk17u-dev/pull/2747.diff

Using Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back abakhtin! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@alexeybakhtin This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8179502: Enhance OCSP, CRL and Certificate Fetch Timeouts

Reviewed-by: yan

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 466 new commits pushed to the master branch:

• df6014e: 8346887: DrawFocusRect() may cause an assertion failure
• 72bddde: 8342508: Use latch in BasicMenuUI/bug4983388.java instead of delay
• 032d1ae: 8342498: Add test for Allocation elimination after use as alignment reference by SuperWord
• 77ce004: 8333403: Write a test to check various components events are triggered properly
• 19345ad: 8340687: Open source closed frame tests 8278822: Bump update version for OpenJDK: jdk-17.0.3 #1
• eede9d3: 8324807: Manual printer tests have no Pass/Fail buttons, instructions close set 2
• 88c1aa2: 8325529: Remove unused imports from ModuleGenerator test file
• 8920296: 8328819: Remove applet usage from JFileChooser tests bug6698013
• 24c1243: 8312416: Tests in Locale should have more descriptive names
• 0246696: 8305853: java/text/Format/DateFormat/DateFormatRegression.java fails with "Uncaught exception thrown in test method Test4089106"
• ... and 456 more: https://git.openjdk.org/jdk17u-dev/compare/77cb961ce0573c9c1057d51556784ea43a71ba53...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

➡️ To integrate this PR with the above commit message to the master branch, type /integrate in a new comment.

[openjdk]

This backport pull request has now been updated with issue from the original commit.

[openjdk]

At least one of the issues associated with this backport has a resolved CSR for a different version. As this means that this backport may also need a CSR, the csr label is being added to this pull request to signal this potential requirement. The command /csr unneeded can be used to remove the label in case a CSR is not needed.

[mlbridge]

Webrevs

• 02: Full - Incremental (65e02f91)
• 01: Full - Incremental (e73f8c1a)
• 00: Full (df460a63)

[alexeybakhtin]

CSR JDK-8337407 for JDK17 is created

[bridgekeeper]

@alexeybakhtin This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

[HempushpaSahu]

Hi @alexeybakhtin
Is there any plan to merge this PR anytime soon?

Thanks.

[alexeybakhtin]

Hi @HempushpaSahu. Yes, I will request integration into 17u as soon as it is reviewed here.

[HempushpaSahu]

Hi @alexeybakhtin,
I noticed from JDK-8337407 issue, jnimeh is the reviewer.
Could you please confirm whether the review is currently in progress?
Also, is it possible to assign an additional reviewer if one is available?

Thanks.

[alexeybakhtin]

Hello everyone,
Could you please review the backport? I want to backport it for parity with Oracle.

[HempushpaSahu]

Hi,
Since there is multiple follow-ups for this PR and customer is awaiting the fix, could someone please provide an update on the review status?

Thanks.

[HempushpaSahu]

Hi,
Could someone please review the PR?

Thanks.

[HempushpaSahu]

Hi @jnimeh ,
Could you please assist with reviewing the PR or if you are occupied with other tasks please tag the appropriate person who can help us to review?
The customer is waiting for the fix. Once this backport is merged, they will be able to move forward.

Thanks.

[jnimeh]

Hello @HempushpaSahu. I can review the CSR. I think you need someone who has reviewer status in the jdk-updates project in order to be able to commit this. I only have committer status there. You should be able to find many folks with jdk-updates reviewer status on the OpenJDK census page though.

[jnimeh]

I would also suggest looking at incorporating JDK-8309740 and JDK-8309754 in follow-on integrations as they pertain to the tests in this PR.

[HempushpaSahu]

Hi @seanjmullan ,
Could you please help us here to review the PR?

[HempushpaSahu]

Hello @HempushpaSahu. I can review the CSR. I think you need someone who has reviewer status in the jdk-updates project in order to be able to commit this. I only have committer status there. You should be able to find many folks with jdk-updates reviewer status on the OpenJDK census page though.

Thanks @jnimeh for your inputs.

[HempushpaSahu]

Hi @GoeLin
Could you please help to review this PR or tag the appropriate person who can help us to review?
Thanks.

[HempushpaSahu]

Hi @GoeLin
Could you please help to review this PR?
Thanks.

[HempushpaSahu]

Hi @alexeybakhtin,
JDK-8337407 issue has some activity in last week.
Could you please confirm whether the review is currently in progress?

Thanks.

[alexeybakhtin]

CSR is approved.
Please review the PR.

[HempushpaSahu]

Hi @alexeybakhtin , I have tested the four backports mentioned above together, and they have passed successfully. Should we include these tests as part of the PR?
Thanks.

[alexeybakhtin]

@franferrax , @HempushpaSahu, Thank you!
I do not think it is possible to add other bug fixes to this PR, so I submitted dependent backport PRs for the mentioned test fixes:

• JDK-8309740, openjdk/jdk@5ca4cdd
• JDK-8310629, openjdk/jdk@b20dc1e
• JDK-8325024, openjdk/jdk@432756b
• JDK-8337826, openjdk/jdk@9b11bd7

Backports are clean, so no review is required

[franferrax]

Hi @alexeybakhtin, thank you for the additional time and effort put into this! My intention is to help move things faster, because I've been made aware about customers waiting for this.

However, as @GoeLin explained, if Oracle doesn't include this backport in 17.0.14, the documentation won't be updated, so we'll need to wait for them to proceed. Apparently, Oracle's reason for not doing the backport is its low priority. Customers are now trying to get it prioritized through Oracle support, but it looks like we won't make it for the 17.0.14 rampdown date (December 3).

NOTE: FYI, AFAIK, you can add multiple backports to a pull requiest with the /issue add <id>[,<id>,...] command.

[alexeybakhtin]

Hi @franferrax,
Thank you for your support.
We also have customers who are waiting for this enhancement.

About /issue command - I do not like this approach much. It will bring a much more difference between the backport and the original fix. Right now, all test fixes are applied cleanly. But, if it would help to integrate this enhancement, I can combine all follow-up backports into this one.

[bridgekeeper]

@alexeybakhtin This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply add a new comment to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

[alexeybakhtin]

/csr 8337407

[openjdk]

@alexeybakhtin usage: /csr [needed|unneeded], requires that the issue the pull request refers to links to an approved CSR request.

[franferrax]

/csr 8337407

@alexeybakhtin: looks like linking the right CSR (JDK-8337407) from the Oracle backport (JDK-8338808) did the trick.

Also, I think "parity with Oracle" is now a valid reason for maintainer approval, since jdk17u-dev is in the development phase of 17.0.15, the same version for which Oracle did the backport.

[GoeLin]

This change looks good to me now. Thanks for improving the compatibility with 17!
Unfortunately Oracle did not integrate this yet. I'm not sure whether we should go ahead with this already.

[jerboaa]

Unfortunately Oracle did not integrate this yet. I'm not sure whether we should go ahead with this already.

+1 on bringing this to JDK 17 in April. There is ample time until that releases.

[alexeybakhtin]

Oracle just integrated the fix for the upcoming April release: https://bugs.openjdk.org/browse/JDK-8338808?focusedId=14737263&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14737263

[alexeybakhtin]

/integrate

[openjdk]

Going to push as commit 25c7a7b.
Since your change was applied there have been 466 commits pushed to the master branch:

• df6014e: 8346887: DrawFocusRect() may cause an assertion failure
• 72bddde: 8342508: Use latch in BasicMenuUI/bug4983388.java instead of delay
• 032d1ae: 8342498: Add test for Allocation elimination after use as alignment reference by SuperWord
• 77ce004: 8333403: Write a test to check various components events are triggered properly
• 19345ad: 8340687: Open source closed frame tests 8278822: Bump update version for OpenJDK: jdk-17.0.3 #1
• eede9d3: 8324807: Manual printer tests have no Pass/Fail buttons, instructions close set 2
• 88c1aa2: 8325529: Remove unused imports from ModuleGenerator test file
• 8920296: 8328819: Remove applet usage from JFileChooser tests bug6698013
• 24c1243: 8312416: Tests in Locale should have more descriptive names
• 0246696: 8305853: java/text/Format/DateFormat/DateFormatRegression.java fails with "Uncaught exception thrown in test method Test4089106"
• ... and 456 more: https://git.openjdk.org/jdk17u-dev/compare/77cb961ce0573c9c1057d51556784ea43a71ba53...master

Your commit was automatically rebased without conflicts.

[openjdk]

@alexeybakhtin Pushed as commit 25c7a7b.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.