-
Notifications
You must be signed in to change notification settings - Fork 40.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SslInfoContributor and SslHealthIndicator #41205
base: main
Are you sure you want to change the base?
Conversation
Hey @jonatan-ivanov, that's quite a cool feature, thank you! The implementation looks good, too. This works for all SSL bundles, and not only for the one used by the webserver, right? |
Great to hear! The main focus is the webserver but I think this should work for all SSL bundles (not tested yet) since using an expired cert can cause issues in every place they are used. I can go ahead and work on the TODO items/docs/tests, in the meantime, can I get some feedback on two important items?
|
I think this is fine. However, I'm not sure we need to use That class adapts the discrete We could just focus the |
👍🏼 That's the exact same use-case I'm using
That would simplify the changes in the PR a bit but also complicate the life of the users: simply enabling the feature might not do anything for them if they are not using bundles or it would work just half-way for them if they use bundles just not for the webserver. If it is not a big issue to use |
Along with In either case, I don't think it's necessary to make |
Treating the discrete web server SSL properties specially somewhat makes sense to me since that's what |
Production incidents because of invalid certificates are common issues in the industry.
SslInfoContributor
andSslHealthIndicator
in this PR can help to mitigate them, they:issuer
,subject
,validity
, etc.)This PR is a draft/proof of concept right now (to gather feedback), it does not have tests (has a temporary(?) demo using
spring-boot-smoke-test-tomcat-ssl
) nor docs but it has quite a fewTODO
s (see them in the comments):Status
could be enhanced by adding a new status:WARNING
WebServerSslBundle.get
call could be optimized and its result reusedExample
/info
and/health
outputs:/info
of aVALID
cert (click here to expand)/health
of aVALID
cert (click here to expand)/info
of anEXPIRED
cert (click here to expand)/health
of anEXPIRED
cert (click here to expand)/info
of a cert thatWILL_EXPIRE_SOON
(click here to expand)/health
of a cert thatWILL_EXPIRE_SOON
(click here to expand)If you want to play with it, start
spring-boot-smoke-test-tomcat-ssl
, the cert inresources/sample.jks
is alreadyEXPIRED
, you can generate aVALID
one viaor one that
WILL_EXPIRE_SOON
via: