Skip to content

Cert Auth: Cache validation for expired certs #31456

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Cert Auth: Cache validation for expired certs #31456

wants to merge 2 commits into from

Conversation

HaoK
Copy link
Member

@HaoK HaoK commented Apr 1, 2021
edited
Loading

We saw massive performance hits in the benchmark when we were using an expired cert, due to the validation cache not storing expired certs at all.

Cache expired certs for 2 minutes by default should mitigate this

@ghost ghost added the area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer label Apr 1, 2021
@HaoK HaoK requested a review from Tratcher April 1, 2021 22:59
@HaoK HaoK marked this pull request as ready for review April 1, 2021 22:59
JamesNK
JamesNK reviewed Apr 2, 2021
View reviewed changes
Copy link
Member

@JamesNK JamesNK left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there an issue about why this change is being made? If not, at to PR description.

Also, is it possible to add a unit test of this behavior?

src/Security/Authentication/Certificate/src/CertificateValidationCache.cs
.SetSize(1).SetSlidingExpiration(_options.CacheEntryExpiration).SetAbsoluteExpiration(certificate.NotAfter));
{
// Cache expired certs for little while too
var absExpiration = (certificate.NotAfter < DateTime.Now) ? DateTime.Now + _options.CacheEntryExpiration : certificate.NotAfter;
Copy link
Member

@JamesNK JamesNK Apr 2, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is NotAfter a UTC or local time? Change to DateTime.UtcNow if it is UTC, or add a comment that it is local and that DateTime.Now usage is intentional.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NotAfter is local time, so I'll add a comment, will look to see if its easy to add a unit test

@HaoK HaoK marked this pull request as draft May 17, 2021 23:06
@dougbu
Copy link
Contributor

dougbu commented May 20, 2021

@HaoK this is blocking #32875 I think. We should fix the problem ASAP.

@dougbu dougbu mentioned this pull request May 20, 2021
Merged
@HaoK
Copy link
Member Author

HaoK commented May 20, 2021

This PR doesn't have anything to do with the tests failures, its just a performance fix in one scenario, it won't have any functional impact its just follow up to some perf issues we saw from the benchmarks when we had an expired cert

@mkArtakMSFT
Copy link
Contributor

@HaoK should this be closed give it's almost a year old?

@HaoK
Copy link
Member Author

HaoK commented Mar 24, 2022

No I will get this in during 7.0, i just need to add some tests

@HaoK
Copy link
Member Author

HaoK commented Mar 24, 2022

Actually looks like this fix was already contained in d5a337c

@HaoK HaoK closed this Mar 24, 2022
@wtgodbe wtgodbe deleted the haok/cert branch May 2, 2024 20:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JamesNK JamesNK JamesNK left review comments

@Tratcher Tratcher Awaiting requested review from Tratcher

@halter73 halter73 Awaiting requested review from halter73 halter73 will be requested when the pull request is marked ready for review halter73 is a code owner

Assignees
No one assigned
Labels
area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@HaoK @dougbu @mkArtakMSFT @JamesNK