New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move ocsp_response_cache:delete after certificate_data:set #6200
Conversation
Hi @wenzong. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/assign @ElvinEfendi |
/ok-to-test |
I think this is significantly better though. There will potentially be mismatch, but we will not be caching OCSP response for an outdated certificate at least. In other words if we hit the race with this PR the worst is few requests will have incorrect OCSP response, whereas with the original fix if the bug was hit incorrect OCSP response would be served until NGINX is restarted or cache is expired after 3 days. |
3af44a2
to
87e79da
Compare
I also considered using some kind of lock to make the operations atomically, there is two reasons prevent me from doing so. The first consideration is the performance could be affected by using lock. Another problem is I am not familiar with the openresty and Lua ecosystem, therefore I don't know whether there is any mature lock implementation. So I just change the operations order to avoid severe issue ;) Code refactored. Please review again. |
/lgtm FWIW lua-resty-lock is mature enough locking library for Openresty. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ElvinEfendi, wenzong The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Move ocsp_response_cache:delete after certificate_data:set
What this PR does / why we need it:
There is a potential concurrency problem.
So in /configurations/servers:
Since the two steps are not atomic operation, there is a small chance that some nginx worker missed the cache and read the old certificate, then fetch and cache the old ocsp_response again.
This PR change the sequence of the two operations.
However this PR is not perfect. There might be some requests still served by mismatch certificate and OCSP Response(between certificate_data:set and ocsp_response_cache:delete), but the impact is much more smaller than origin implementation.
Types of changes
Which issue/s this PR fixes
How Has This Been Tested?
Checklist: