Float component of Corda Firewall been designed such that it listens to inbound communication (when activated) but it is not meant to initiate any outbound communication.
This largely holds, except for the case when check for Certificate Revocation List (CRL) is meant to be performed.
Currently, in order to perform CRL check, Float component attempts to perform outgoing communication which is likely to be blocked by physical firewall policy.
With CRL check is set with SOFT_FAIL and Physical Firewall policy in place it may take substantial amount of time for network communication to be terminated due to timeout, but by this time it may be too late as TLS handshake has already timed-out already.
I.e. inbound TLS communication is not possible at all.
Is to align timeouts such that CRL retrieval timeout will always be (5 second?) less than TLS timeout.
This will ensure that in SOFT_FAIL mode when CRL cannot be obtained there is still enough time to complete TLS handshake.
Current default timeout settings are:
TLS handshake: 10 seconds as per io.netty.handler.ssl.SslHandler#handshakeTimeoutMillis
CRL retrieval: 15 seconds as per sun.security.provider.certpath.URICertStore#DEFAULT_CRL_CONNECT_TIMEOUT