/[pdpsoft]/nl.nikhef.pdp.fetchcrl/trunk/TrustAnchor.pm
ViewVC logotype

Diff of /nl.nikhef.pdp.fetchcrl/trunk/TrustAnchor.pm

Parent Directory Parent Directory | Revision Log Revision Log | View Patch Patch

revision 2652 by davidg, Tue Jul 2 19:16:38 2013 UTC revision 3178 by davidg, Tue Apr 11 07:16:27 2017 UTC
# Line 112  sub loadAnchor($$) { Line 112  sub loadAnchor($$) {
112      @{$self->{"crlurls"}} = ();      @{$self->{"crlurls"}} = ();
113      open CRLURL,"$path$basename$suffix" or      open CRLURL,"$path$basename$suffix" or
114        $::log->err("Error reading crl_url $path$basename$suffix: $!") and return 0;        $::log->err("Error reading crl_url $path$basename$suffix: $!") and return 0;
115        $self->{"filename"} = "$path$basename$suffix";
116      my $urllist;      my $urllist;
117      while (<CRLURL>) {      while (<CRLURL>) {
118        /^\s*([^#\n]+).*$/ and my $url = $1 or next;        /^\s*([^#\n]+).*$/ and my $url = $1 or next;
# Line 134  sub loadAnchor($$) { Line 135  sub loadAnchor($$) {
135      $info->read( $path . $basename . $suffix ) or      $info->read( $path . $basename . $suffix ) or
136        $::log->err("Error reading info $path$basename$suffix", $info->errstr)        $::log->err("Error reading info $path$basename$suffix", $info->errstr)
137          and return 0;          and return 0;
138        $self->{"filename"} = "$path$basename$suffix";
139    
140      $info->{_}->{"crl_url"} and $info->{_}->{"crl_url.0"} and      $info->{_}->{"crl_url"} and $info->{_}->{"crl_url.0"} and
141        $::log->err("Invalid info for $basename: crl_url and .0 duplicate") and        $::log->err("Invalid info for $basename: crl_url and .0 duplicate") and
# Line 433  sub retrieveHTTP($$) { Line 435  sub retrieveHTTP($$) {
435        $ua->proxy("http", $self->{"http_proxy"});        $ua->proxy("http", $self->{"http_proxy"});
436      }      }
437    }    }
438      # set request cache control if specified as valid in config
439      if ( defined $::cnf->{_}->{cache_control_request} ) {
440        $::log->verb(5,"Setting request cache-control to ".
441                       $::cnf->{_}->{cache_control_request});
442        if ( $::cnf->{_}->{cache_control_request} =~ /^\d+$/ ) {
443          $ua->default_header('Cache-control' =>
444                              "max-age=".$::cnf->{_}->{cache_control_request} );
445        } else {
446          die "Request cache control is invalid (not a number)\n";
447        }
448      }
449    
450    # see with a HEAD request if we can get by with old data    # see with a HEAD request if we can get by with old data
451    # but to assess that we need Last-Modified from the previous request    # but to assess that we need Last-Modified from the previous request
# Line 454  sub retrieveHTTP($$) { Line 466  sub retrieveHTTP($$) {
466      alarm 0; # make sure the alarm stops ticking, regardless of the eval      alarm 0; # make sure the alarm stops ticking, regardless of the eval
467    
468      if ( $@ ) { # died, alarm hit: server bad, so try next URL      if ( $@ ) { # died, alarm hit: server bad, so try next URL
469        $::log->verb(2,"HEAD error $url:", $@);        chomp($@);
470          my $shorterror = $@; $shorterror =~ s/\n.*$//gs;
471          $::log->verb(2,"HEAD error $url:", $shorterror);
472          # underlying socket library may be verybose - filter and qualify messages
473          if ( $shorterror ne $@ ) {
474            foreach my $errorline ( split(/\n/,$@) ) {
475              chomp($errorline); $errorline eq $shorterror and next; # nodups
476              $errorline and $::log->verb(4,"HEAD error detail:", $errorline);
477            }
478          }
479        return undef;        return undef;
480      }      }
481    
# Line 497  sub retrieveHTTP($$) { Line 518  sub retrieveHTTP($$) {
518    
519    if ( $@ ) {    if ( $@ ) {
520      chomp($@);      chomp($@);
521      $::log->verb(0,"Download error $url:", $@);      my $shorterror = $@; $shorterror =~ s/\n.*$//gs;
522        $::log->verb(0,"Download error $url:", $shorterror);
523        # underlying socket library may be verybose - filter and qualify messages
524        if ( $shorterror ne $@ ) {
525          foreach my $errorline ( split(/\n/,$@) ) {
526            chomp($errorline); $errorline eq $shorterror and next; # nodups
527            $errorline and $::log->verb(4,"Download error detail:", $errorline);
528          }
529        }
530      return undef;      return undef;
531    }    }
532    
# Line 567  sub retrieve($) { Line 596  sub retrieve($) {
596      # be used for all (like  Last-Modified, and cache control data)      # be used for all (like  Last-Modified, and cache control data)
597    
598      # if we have a cached piece of fresh data, return that one      # if we have a cached piece of fresh data, return that one
599        # and make sure the nextupdate in the CRL itself outlives claimed freshness
600      if ( !$self->{"nocache"} and      if ( !$self->{"nocache"} and
601            ($self->{"crl"}[$i]{"state"}{"freshuntil"} || 0) > time and            ($self->{"crl"}[$i]{"state"}{"freshuntil"} || 0) > time and
602            ($self->{"crl"}[$i]{"state"}{"nextupdate"} || time) >= time and            ($self->{"crl"}[$i]{"state"}{"nextupdate"} || time) >= time and
603              ($self->{"crl"}[$i]{"state"}{"nextupdate"} || 0) >=
604                  ($self->{"crl"}[$i]{"state"}{"freshuntil"} || 0) and
605            $self->{"crl"}[$i]{"state"}{"b64data"} ) {            $self->{"crl"}[$i]{"state"}{"b64data"} ) {
606        $::log->verb(3,"Using cached content for",$self->{"alias"},"index",$i);        $::log->verb(3,"Using cached content for",$self->{"alias"},"index",$i);
607        $::log->verb(4,"Content dated",        $::log->verb(4,"Content dated",
# Line 614  sub retrieve($) { Line 646  sub retrieve($) {
646                           time )/3600).                           time )/3600).
647                       " left of ".$self->{"agingtolerance"}."h, retry later.");                       " left of ".$self->{"agingtolerance"}."h, retry later.");
648           } else {           } else {
649          $::log->err("CRL retrieval for",          $::log->retr_err("CRL retrieval for",
650                       $self->{"alias"},($i?"[$i] ":"")."failed.",                       $self->{"alias"},($i?"[$i] ":"")."failed.",
651                       $self->{"agingtolerance"}."h grace expired.",                       $self->{"agingtolerance"}."h grace expired.",
652                       "CRL not updated");                       "CRL not updated");
653           }           }
654        } else { # direct errors, no tolerance anymore        } else { # direct errors, no tolerance anymore
655          $::log->err("CRL retrieval for",          $::log->retr_err("CRL retrieval for",
656                       $self->{"alias"},($i?"[$i] ":"")."failed,",                       $self->{"alias"},($i?"[$i] ":"")."failed,",
657                       "CRL not updated");                       "CRL not updated");
658        }        }
# Line 721  sub verifyAndConvertCRLs($) { Line 753  sub verifyAndConvertCRLs($) {
753      }      }
754    
755      $#verifyMessages >= 0 and do {      $#verifyMessages >= 0 and do {
756        $::log->err("CRL verification failed for",$self->{"anchorname"}."/$i",        $::log->retr_err("CRL verification failed for",$self->{"anchorname"}."/$i",
757                    "(".$self->{"alias"}.")");                    "(".$self->{"alias"}.")");
758        foreach my $m ( @verifyMessages ) {        foreach my $m ( @verifyMessages ) {
759          $::log->verb(0,$self->{"anchorname"}."/$i:",$m);          $::log->verb(0,$self->{"anchorname"}."/$i:",$m);
# Line 733  sub verifyAndConvertCRLs($) { Line 765  sub verifyAndConvertCRLs($) {
765      foreach my $key ( qw/ lastupdate nextupdate sha1fp issuer / ) {      foreach my $key ( qw/ lastupdate nextupdate sha1fp issuer / ) {
766        $self->{"crl"}[$i]{"state"}{$key} = $crl->getAttribute($key) || "";        $self->{"crl"}[$i]{"state"}{$key} = $crl->getAttribute($key) || "";
767      }      }
768    
769    
770        # issue a low-level warning in case the cache control headers from
771        # the CA (or its CDN) are bugus, i.e. the CRL wille expire before the
772        # cache does. Don't log at warning, since the site cannot fix this
773        if ( defined ($self->{"crl"}[$i]{"state"}{"freshuntil"}) and
774             ( $self->{"crl"}[$i]{"state"}{"freshuntil"} >
775               ( $self->{"crl"}[$i]{"state"}{"nextupdate"} +
776                 $::cnf->{_}->{expirestolerance} )
777             )
778          ) {
779          $::log->verb(1,"Cache control headers for CA ".$self->{"alias"}." at ".
780            "URL ".$self->{"crl"}[$i]{"state"}{"sourceurl"}." have apparent ".
781            "freshness ".sprintf("%.1f",($self->{"crl"}[$i]{"state"}{"freshuntil"}-
782                                 $self->{"crl"}[$i]{"state"}{"nextupdate"})/3600).
783            "hrs beyond CRL expiration nextUpdate. Reset freshness from ".
784            gmtime($self->{"crl"}[$i]{"state"}{"freshuntil"})." UTC to ".
785            $::cnf->{_}->{expirestolerance}." second before nextUpdate at ".
786            gmtime($self->{"crl"}[$i]{"state"}{"nextupdate"})." UTC.");
787          $self->{"crl"}[$i]{"state"}{"freshuntil"} =
788            $self->{"crl"}[$i]{"state"}{"nextupdate"} -
789            $::cnf->{_}->{expirestolerance};
790        }
791    
792        # limit maximum freshness period to compensate for CAs that overdo it
793        if ( defined ($self->{"crl"}[$i]{"state"}{"freshuntil"}) and
794             $self->{"crl"}[$i]{"state"}{"freshuntil"} >
795               (time + $::cnf->{_}->{maxcachetime}) ) {
796          $self->{"crl"}[$i]{"state"}{"freshuntil"} =
797            time+$::cnf->{_}->{maxcachetime};
798          $::log->verb(1,"Cache state freshness expiry for CA ".$self->{"alias"}.
799                       " reset to at most ".
800                       sprintf("%.1f",$::cnf->{_}->{maxcachetime}/3600.).
801                       "hrs beyond current time (".
802                       gmtime($self->{"crl"}[$i]{"state"}{"freshuntil"})." UTC)");
803        }
804    
805    }    }
806    return 1;    return 1;
807  }  }

Legend:
Removed from v.2652  
changed lines
  Added in v.3178

grid.support@nikhef.nl
ViewVC Help
Powered by ViewVC 1.1.28