Align timeouts for CRL retrieval and TLS handshake

Description

The problem

Float component of Corda Firewall been designed such that it listens to inbound communication (when activated) but it is not meant to initiate any outbound communication.
This largely holds, except for the case when check for Certificate Revocation List (CRL) is meant to be performed.

Currently, in order to perform CRL check, Float component attempts to perform outgoing communication which is likely to be blocked by physical firewall policy.
With CRL check is set with SOFT_FAIL and Physical Firewall policy in place it may take substantial amount of time for network communication to be terminated due to timeout, but by this time it may be too late as TLS handshake has already timed-out already.
I.e. inbound TLS communication is not possible at all.

Proposed solution

Is to align timeouts such that CRL retrieval timeout will always be (5 second?) less than TLS timeout.
This will ensure that in SOFT_FAIL mode when CRL cannot be obtained there is still enough time to complete TLS handshake.

Note:
Current default timeout settings are:
TLS handshake: 10 seconds as per io.netty.handler.ssl.SslHandler#handshakeTimeoutMillis
CRL retrieval: 15 seconds as per sun.security.provider.certpath.URICertStore#DEFAULT_CRL_CONNECT_TIMEOUT

Status

Assignee

Viktor Kolomeyko

Reporter

Viktor Kolomeyko

Labels

None

Feature Team

Kernel Group

Story Points

5

Fix versions

Ported to...

None

Priority

High
Configure