Uploaded image for project: 'Trapperkeeper'
  1. Trapperkeeper
  2. TK-463

[TK-Jetty] Large CRLs can cause OOM

    XMLWordPrintable

Details

    • Froyo
    • Needs Assessment
    • 48185
    • 1
    • Needs Assessment

    Description

      Seen in the field with PE. In trapperkeeper-webserver-jetty9 (and possibly other versions), it naively loads the full contents of the file provided by the :ssl-crl-path config option. If the file is huge and you don't have enough heap, it's OOM time.

      I think this is coming from https://github.com/puppetlabs/trapperkeeper-webserver-jetty9/blob/master/java/com/puppetlabs/trapperkeeper/services/webserver/jetty9/utils/InternalSslContextFactory.java. We see tons of sun.security.x509.X509CRLEntryImpl objects (retained by sun.security.x509.X509CRLImpl) in the heap dump from the one incident. I'm not sure whether this impacts the underlying Jetty SslContextFactory or not; but either way to we should try to get this to load the data more carefully.

      Attachments

        Activity

          People

            Unassigned Unassigned
            lizzi Lizzi Lindboe
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:

              Zendesk Support