Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-3031

simplify/move warn_if_near_expiration



    • Improvement
    • Status: Closed
    • Normal
    • Resolution: Fixed
    • None
    • PUP 3.7.0
    • Docs, Networking
    • None
    • 1
    • 2014-08-20


      See related PE ticket; this is largely a placeholder just to make sure we've tried to address this before 3.7.0 release.

      In `http/handler.rb`'s `process` method, there is a call to a method named `warn_if_near_expiration`. The goal of this method appears to be simply to check the expiration date of the client certificate, and log a warning message if it is going to expire soon.

      However, this method has tons of side effects, which include potentially a second deserialization of the client cert and calls to the indirector that can trigger things like creating the ca cert file on disk, etc. Most importantly, it triggers a bunch of calls into the Ruby OpenSSL layer on every request.

      After discussion with Josh Cooper, Deepak Giridharagopal, and a few other folks, I think we are in agreement that this shouldn't be happening at this spot in the code. The question was raised as to whether we need to do this at all; if we do need to do it at all, then it seems like we might not need to do it on every single request... but at the very least, if we're going to do it, it should not be in this lower level of the code that is generic to all web server implementations. It should be handled at the higher level specific to an individual web server, since each server may have its own mechanisms for accessing the client cert data.

      It sounds like the simplest path forward for now is to delete this line from its current location, add a check and a log message to the Rack handler, and add similar functionality to the Jetty handler.


        Issue Links



              Unassigned Unassigned
              chris Chris Price
              Eric Thompson Eric Thompson
              0 Vote for this issue
              7 Start watching this issue



                Zendesk Support