Module: Mongo::Socket::OcspCache Private

Defined in:
lib/mongo/socket/ocsp_cache.rb

Overview

This module is part of a private API. You should avoid using this module if possible, as it may be removed or be changed in the future.

This module caches OCSP responses for their indicated validity time.

The key is the CertificateId used for the OCSP request. The value is an OcspVerifier::Response.

Since:

  • 2.0.0

Class Method Summary collapse

Class Method Details

.clearObject

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Note:

Use Mongo.clear_ocsp_cache from applications instead of invoking this method directly.

Clears the driver’s OCSP response cache.

Since:

  • 2.0.0



79
80
81
 
# File 'lib/mongo/socket/ocsp_cache.rb', line 79

module_function def clear
  responses.replace([])
end

.delete(cert_id) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Since:

  • 2.0.0



69
70
71
72
73
 
# File 'lib/mongo/socket/ocsp_cache.rb', line 69

module_function def delete(cert_id)
  responses.delete_if do |resp|
    resp.certid.cmp(cert_id)
  end
end

.get(cert_id) ⇒ OpenSSL::OCSP::SingleResponse

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Retrieves a cached SingleResponse for the specified CertificateId.

This method may return expired responses if they are revoked. Such responses were valid when they were first received.

This method may also return responses that are valid but that may expire by the time caller uses them. The caller should not perform update time checks on the returned response.

Returns:

  • (OpenSSL::OCSP::SingleResponse)

    The previously retrieved response.

Since:

  • 2.0.0



42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
 
# File 'lib/mongo/socket/ocsp_cache.rb', line 42

module_function def get(cert_id)
  resp = responses.detect do |resp|
    resp.certid.cmp(cert_id)
  end
  # Only expire responses with good status.
  # Once a certificate is revoked, it should stay revoked forever,
  # hence we should be able to cache revoked responses indefinitely.
  if resp && resp.cert_status == OpenSSL::OCSP::V_CERTSTATUS_GOOD &&
     resp.next_update < Time.now
    responses.delete(resp)
    resp = nil
  end

  # If we have connected to a server and cached the OCSP response for it,
  # and then never connect to that server again, the cached OCSP response
  # is going to remain in memory indefinitely. Periodically remove all
  # expired OCSP responses, not just the ones matching the certificate id
  # we are querying by.
  if rand < 0.01
    responses.delete_if do |resp|
      resp.next_update < Time.now
    end
  end

  resp
end

.responsesObject

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Since:

  • 2.0.0



87
88
89
90
91
 
# File 'lib/mongo/socket/ocsp_cache.rb', line 87

module_function def responses
  LOCK.synchronize do
    @responses ||= []
  end
end

.set(cert_id, response) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Since:

  • 2.0.0



26
27
28
29
 
# File 'lib/mongo/socket/ocsp_cache.rb', line 26

module_function def set(cert_id, response)
  delete(cert_id)
  responses << response
end