[TK-463] [TK-Jetty] Large CRLs can cause OOM - Puppet Tickets

XML

Word

Printable

Details

Type: Bug
Status: Accepted
Priority: Normal
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: TrapperKeeper
Labels:

Team:
Froyo
Method Found:
Needs Assessment

Zendesk Ticket IDs:
48185
Zendesk Ticket Count:
1

QA Risk Assessment:
Needs Assessment

Description

Seen in the field with PE. In trapperkeeper-webserver-jetty9 (and possibly other versions), it naively loads the full contents of the file provided by the :ssl-crl-path config option. If the file is huge and you don't have enough heap, it's OOM time.

I think this is coming from https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/blob/master/java/com/puppetlabs/trapperkeeper/services/webserver/jetty9/utils/InternalSslContextFactory.java. We see tons of sun.security.x509.X509CRLEntryImpl objects (retained by sun.security.x509.X509CRLImpl) in the heap dump from the one incident. I'm not sure whether this impacts the underlying Jetty SslContextFactory or not; but either way to we should try to get this to load the data more carefully.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Lizzi Lindboe

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2017/12/07 11:55 AM

Updated:: 2022/04/27 12:06 PM