Align timeouts for CRL retrieval and TLS handshake

Description

The problem

Float component of Corda Firewall been designed such that it listens to inbound communication (when activated) but it is not meant to initiate any outbound communication.
This largely holds, except for the case when check for Certificate Revocation List (CRL) is meant to be performed.

Currently, in order to perform CRL check, Float component attempts to perform outgoing communication which is likely to be blocked by physical firewall policy.
With CRL check is set with SOFT_FAIL and Physical Firewall policy in place it may take substantial amount of time for network communication to be terminated due to timeout, but by this time it may be too late as TLS handshake has already timed-out already.
I.e. inbound TLS communication is not possible at all.

Proposed solution

Is to align timeouts such that CRL retrieval timeout will always be (5 second?) less than TLS timeout.
This will ensure that in SOFT_FAIL mode when CRL cannot be obtained there is still enough time to complete TLS handshake.

Note:
Current default timeout settings are:
TLS handshake: 10 seconds as per io.netty.handler.ssl.SslHandler#handshakeTimeoutMillis
CRL retrieval: 15 seconds as per sun.security.provider.certpath.URICertStore#DEFAULT_CRL_CONNECT_TIMEOUT

Assignee

Viktor Kolomeyko

Reporter

Viktor Kolomeyko

Epic Link

None

Priority

High

Engineering Teams

Kernel

Fix versions

Affects versions

None

Ported to...

None

Sprint

None

Labels

None

Story Points / Dev Days

5
Configure