diff --git a/changelogs/current.yaml b/changelogs/current.yaml index 6d70c11851399..96329f726d524 100644 --- a/changelogs/current.yaml +++ b/changelogs/current.yaml @@ -66,6 +66,9 @@ removed_config_or_runtime: - area: tcp_proxy change: | removed ``envoy.reloadable_features.new_tcp_connection_pool`` and legacy code paths. +- area: tls + change: | + fixed a bug when a certificate is invalid, ``days_until_expiration`` reports a big number. After this fix, when a certificate expires, it reports as ``0``. - area: conn pool change: | removed ``envoy.reloadable_features.conn_pool_delete_when_idle`` and legacy code paths. diff --git a/envoy/ssl/context.h b/envoy/ssl/context.h index d7b9248e8b773..738a7b790f6a7 100644 --- a/envoy/ssl/context.h +++ b/envoy/ssl/context.h @@ -21,9 +21,10 @@ class Context { virtual ~Context() = default; /** - * @return the number of days in this context until the next certificate will expire + * @return the number of days in this context until the next certificate will expire, the value is + * set when not expired. */ - virtual size_t daysUntilFirstCertExpires() const PURE; + virtual absl::optional daysUntilFirstCertExpires() const PURE; /** * @return certificate details conforming to proto admin.v2alpha.certs. diff --git a/envoy/ssl/context_manager.h b/envoy/ssl/context_manager.h index bf3d16014bf73..73ea031a7f2e7 100644 --- a/envoy/ssl/context_manager.h +++ b/envoy/ssl/context_manager.h @@ -33,9 +33,10 @@ class ContextManager { const std::vector& server_names) PURE; /** - * @return the number of days until the next certificate being managed will expire. + * @return the number of days until the next certificate being managed will expire, the value is + * set when not expired. */ - virtual size_t daysUntilFirstCertExpires() const PURE; + virtual absl::optional daysUntilFirstCertExpires() const PURE; /** * Iterates through the contexts currently attached to a listener. diff --git a/source/extensions/transport_sockets/tls/cert_validator/cert_validator.h b/source/extensions/transport_sockets/tls/cert_validator/cert_validator.h index 57d18c595210f..cb100f72d629f 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/cert_validator.h +++ b/source/extensions/transport_sockets/tls/cert_validator/cert_validator.h @@ -75,7 +75,7 @@ class CertValidator { uint8_t hash_buffer[EVP_MAX_MD_SIZE], unsigned hash_length) PURE; - virtual size_t daysUntilFirstCertExpires() const PURE; + virtual absl::optional daysUntilFirstCertExpires() const PURE; virtual std::string getCaFileName() const PURE; virtual Envoy::Ssl::CertificateDetailsPtr getCaCertInformation() const PURE; }; diff --git a/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc index e95026d4a4441..8e48348ff66bc 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/default_validator.cc @@ -473,7 +473,7 @@ Envoy::Ssl::CertificateDetailsPtr DefaultCertValidator::getCaCertInformation() c return Utility::certificateDetails(ca_cert_.get(), getCaFileName(), time_source_); } -size_t DefaultCertValidator::daysUntilFirstCertExpires() const { +absl::optional DefaultCertValidator::daysUntilFirstCertExpires() const { return Utility::getDaysUntilExpiration(ca_cert_.get(), time_source_); } diff --git a/source/extensions/transport_sockets/tls/cert_validator/default_validator.h b/source/extensions/transport_sockets/tls/cert_validator/default_validator.h index 2cea2782f0349..66a64a59c74cf 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/default_validator.h +++ b/source/extensions/transport_sockets/tls/cert_validator/default_validator.h @@ -1,6 +1,7 @@ #pragma once #include +#include #include #include #include @@ -50,7 +51,7 @@ class DefaultCertValidator : public CertValidator, Logger::Loggable daysUntilFirstCertExpires() const override; std::string getCaFileName() const override { return ca_file_path_; }; Envoy::Ssl::CertificateDetailsPtr getCaCertInformation() const override; diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc index 34ddcb322edb6..ae88dc7e73bdc 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.cc @@ -1,5 +1,7 @@ #include "source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.h" +#include + #include "envoy/extensions/transport_sockets/tls/v3/common.pb.h" #include "envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.pb.h" #include "envoy/network/transport_socket.h" @@ -263,14 +265,16 @@ std::string SPIFFEValidator::extractTrustDomain(const std::string& san) { return ""; } -size_t SPIFFEValidator::daysUntilFirstCertExpires() const { +absl::optional SPIFFEValidator::daysUntilFirstCertExpires() const { if (ca_certs_.empty()) { - return 0; + return absl::make_optional(std::numeric_limits::max()); } - size_t ret = SIZE_MAX; + absl::optional ret = absl::make_optional(std::numeric_limits::max()); for (auto& cert : ca_certs_) { - size_t tmp = Utility::getDaysUntilExpiration(cert.get(), time_source_); - if (tmp < ret) { + const absl::optional tmp = Utility::getDaysUntilExpiration(cert.get(), time_source_); + if (!tmp.has_value()) { + return absl::nullopt; + } else if (tmp.value() < ret.value()) { ret = tmp; } } diff --git a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.h b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.h index 8fe7a213e0de0..1e7426005fcd2 100644 --- a/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.h +++ b/source/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator.h @@ -50,7 +50,7 @@ class SPIFFEValidator : public CertValidator { void updateDigestForSessionId(bssl::ScopedEVP_MD_CTX& md, uint8_t hash_buffer[EVP_MAX_MD_SIZE], unsigned hash_length) override; - size_t daysUntilFirstCertExpires() const override; + absl::optional daysUntilFirstCertExpires() const override; std::string getCaFileName() const override { return ca_file_name_; } Envoy::Ssl::CertificateDetailsPtr getCaCertInformation() const override; diff --git a/source/extensions/transport_sockets/tls/context_impl.cc b/source/extensions/transport_sockets/tls/context_impl.cc index 04de3265f0a08..a5a189b41b435 100644 --- a/source/extensions/transport_sockets/tls/context_impl.cc +++ b/source/extensions/transport_sockets/tls/context_impl.cc @@ -1,6 +1,7 @@ #include "source/extensions/transport_sockets/tls/context_impl.h" #include +#include #include #include #include @@ -484,14 +485,18 @@ std::vector ContextImpl::getPrivateKeyMe return providers; } -size_t ContextImpl::daysUntilFirstCertExpires() const { - int daysUntilExpiration = cert_validator_->daysUntilFirstCertExpires(); - for (auto& ctx : tls_contexts_) { - daysUntilExpiration = std::min( - Utility::getDaysUntilExpiration(ctx.cert_chain_.get(), time_source_), daysUntilExpiration); +absl::optional ContextImpl::daysUntilFirstCertExpires() const { + absl::optional daysUntilExpiration = cert_validator_->daysUntilFirstCertExpires(); + if (!daysUntilExpiration.has_value()) { + return absl::nullopt; } - if (daysUntilExpiration < 0) { // Ensure that the return value is unsigned - return 0; + for (auto& ctx : tls_contexts_) { + const absl::optional tmp = + Utility::getDaysUntilExpiration(ctx.cert_chain_.get(), time_source_); + if (!tmp.has_value()) { + return absl::nullopt; + } + daysUntilExpiration = std::min(tmp.value(), daysUntilExpiration.value()); } return daysUntilExpiration; } diff --git a/source/extensions/transport_sockets/tls/context_impl.h b/source/extensions/transport_sockets/tls/context_impl.h index 66f4bc39efcef..db82b3f4eef66 100644 --- a/source/extensions/transport_sockets/tls/context_impl.h +++ b/source/extensions/transport_sockets/tls/context_impl.h @@ -81,7 +81,7 @@ class ContextImpl : public virtual Envoy::Ssl::Context, static int sslSocketIndex(); // Ssl::Context - size_t daysUntilFirstCertExpires() const override; + absl::optional daysUntilFirstCertExpires() const override; Envoy::Ssl::CertificateDetailsPtr getCaCertInformation() const override; std::vector getCertChainInformation() const override; absl::optional secondsUntilFirstOcspResponseExpires() const override; diff --git a/source/extensions/transport_sockets/tls/context_manager_impl.cc b/source/extensions/transport_sockets/tls/context_manager_impl.cc index 09cfa3f71aa83..d039370791174 100644 --- a/source/extensions/transport_sockets/tls/context_manager_impl.cc +++ b/source/extensions/transport_sockets/tls/context_manager_impl.cc @@ -1,6 +1,7 @@ #include "source/extensions/transport_sockets/tls/context_manager_impl.h" #include +#include #include #include @@ -47,11 +48,15 @@ ContextManagerImpl::createSslServerContext(Stats::Scope& scope, return context; } -size_t ContextManagerImpl::daysUntilFirstCertExpires() const { - size_t ret = std::numeric_limits::max(); +absl::optional ContextManagerImpl::daysUntilFirstCertExpires() const { + absl::optional ret = absl::make_optional(std::numeric_limits::max()); for (const auto& context : contexts_) { if (context) { - ret = std::min(context->daysUntilFirstCertExpires(), ret); + const absl::optional tmp = context->daysUntilFirstCertExpires(); + if (!tmp.has_value()) { + return absl::nullopt; + } + ret = std::min(tmp.value(), ret.value()); } } return ret; diff --git a/source/extensions/transport_sockets/tls/context_manager_impl.h b/source/extensions/transport_sockets/tls/context_manager_impl.h index 7a05015e682f2..494f8a30ce215 100644 --- a/source/extensions/transport_sockets/tls/context_manager_impl.h +++ b/source/extensions/transport_sockets/tls/context_manager_impl.h @@ -1,5 +1,6 @@ #pragma once +#include #include #include @@ -34,7 +35,7 @@ class ContextManagerImpl final : public Envoy::Ssl::ContextManager { Ssl::ServerContextSharedPtr createSslServerContext(Stats::Scope& scope, const Envoy::Ssl::ServerContextConfig& config, const std::vector& server_names) override; - size_t daysUntilFirstCertExpires() const override; + absl::optional daysUntilFirstCertExpires() const override; absl::optional secondsUntilFirstOcspResponseExpires() const override; void iterateContexts(std::function callback) override; Ssl::PrivateKeyMethodManager& privateKeyMethodManager() override { diff --git a/source/extensions/transport_sockets/tls/utility.cc b/source/extensions/transport_sockets/tls/utility.cc index 52ffd9a349ad2..788c07f6ca2e2 100644 --- a/source/extensions/transport_sockets/tls/utility.cc +++ b/source/extensions/transport_sockets/tls/utility.cc @@ -1,5 +1,7 @@ #include "source/extensions/transport_sockets/tls/utility.h" +#include + #include "source/common/common/assert.h" #include "source/common/common/empty_string.h" #include "source/common/common/safe_memcpy.h" @@ -45,8 +47,8 @@ Envoy::Ssl::CertificateDetailsPtr Utility::certificateDetails(X509* cert, const std::make_unique(); certificate_details->set_path(path); certificate_details->set_serial_number(Utility::getSerialNumberFromCertificate(*cert)); - certificate_details->set_days_until_expiration( - Utility::getDaysUntilExpiration(cert, time_source)); + const auto days_until_expiry = Utility::getDaysUntilExpiration(cert, time_source).value_or(0); + certificate_details->set_days_until_expiration(days_until_expiry); ProtobufWkt::Timestamp* valid_from = certificate_details->mutable_valid_from(); TimestampUtil::systemClockToTimestamp(Utility::getValidFrom(*cert), *valid_from); @@ -253,16 +255,19 @@ std::string Utility::getSubjectFromCertificate(X509& cert) { return getRFC2253NameFromCertificate(cert, CertName::Subject); } -int32_t Utility::getDaysUntilExpiration(const X509* cert, TimeSource& time_source) { +absl::optional Utility::getDaysUntilExpiration(const X509* cert, + TimeSource& time_source) { if (cert == nullptr) { - return std::numeric_limits::max(); + return absl::make_optional(std::numeric_limits::max()); } int days, seconds; if (ASN1_TIME_diff(&days, &seconds, currentASN1_Time(time_source).get(), X509_get0_notAfter(cert))) { - return days; + if (days >= 0 && seconds >= 0) { + return absl::make_optional(days); + } } - return 0; + return absl::nullopt; } absl::string_view Utility::getCertificateExtensionValue(X509& cert, diff --git a/source/extensions/transport_sockets/tls/utility.h b/source/extensions/transport_sockets/tls/utility.h index c1fe2a1d212f4..fb9f6787c282e 100644 --- a/source/extensions/transport_sockets/tls/utility.h +++ b/source/extensions/transport_sockets/tls/utility.h @@ -89,9 +89,9 @@ absl::string_view getCertificateExtensionValue(X509& cert, absl::string_view ext * Returns the days until this certificate is valid. * @param cert the certificate * @param time_source the time source to use for current time calculation. - * @return the number of days till this certificate is valid. + * @return the number of days till this certificate is valid, the value is set when not expired. */ -int32_t getDaysUntilExpiration(const X509* cert, TimeSource& time_source); +absl::optional getDaysUntilExpiration(const X509* cert, TimeSource& time_source); /** * Returns the time from when this certificate is valid. diff --git a/source/server/server.cc b/source/server/server.cc index 7c298e7da6a2f..af51a05606101 100644 --- a/source/server/server.cc +++ b/source/server/server.cc @@ -276,7 +276,7 @@ void InstanceImpl::updateServerStats() { server_stats_->total_connections_.set(listener_manager_->numConnections() + parent_stats.parent_connections_); server_stats_->days_until_first_cert_expiring_.set( - sslContextManager().daysUntilFirstCertExpires()); + sslContextManager().daysUntilFirstCertExpires().value()); auto secs_until_ocsp_response_expires = sslContextManager().secondsUntilFirstOcspResponseExpires(); diff --git a/source/server/ssl_context_manager.cc b/source/server/ssl_context_manager.cc index a1a9fc12c9d0b..f2f086c7a7f7b 100644 --- a/source/server/ssl_context_manager.cc +++ b/source/server/ssl_context_manager.cc @@ -1,5 +1,7 @@ #include "source/server/ssl_context_manager.h" +#include + #include "envoy/common/exception.h" #include "envoy/registry/registry.h" @@ -25,7 +27,9 @@ class SslContextManagerNoTlsStub final : public Envoy::Ssl::ContextManager { throwException(); } - size_t daysUntilFirstCertExpires() const override { return std::numeric_limits::max(); } + absl::optional daysUntilFirstCertExpires() const override { + return absl::make_optional(std::numeric_limits::max()); + } absl::optional secondsUntilFirstOcspResponseExpires() const override { return absl::nullopt; } diff --git a/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc b/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc index 3be9706e76be1..b2be308c55514 100644 --- a/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc +++ b/test/extensions/transport_sockets/tls/cert_validator/spiffe/spiffe_validator_test.cc @@ -1,3 +1,4 @@ +#include #include #include #include @@ -539,7 +540,7 @@ name: envoy.tls.cert_validator.spiffe TEST_F(TestSPIFFEValidator, TestDaysUntilFirstCertExpires) { initialize(); - EXPECT_EQ(0, validator().daysUntilFirstCertExpires()); + EXPECT_EQ(std::numeric_limits::max(), validator().daysUntilFirstCertExpires().value()); Event::SimulatedTimeSystem time_system; time_system.setSystemTime(std::chrono::milliseconds(0)); @@ -557,9 +558,29 @@ name: envoy.tls.cert_validator.spiffe filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/intermediate_ca_cert.pem" )EOF"), time_system); - EXPECT_EQ(19231, validator().daysUntilFirstCertExpires()); + EXPECT_EQ(19231, validator().daysUntilFirstCertExpires().value()); time_system.setSystemTime(std::chrono::milliseconds(864000000)); - EXPECT_EQ(19221, validator().daysUntilFirstCertExpires()); + EXPECT_EQ(19221, validator().daysUntilFirstCertExpires().value()); +} + +TEST_F(TestSPIFFEValidator, TestDaysUntilFirstCertExpiresExpired) { + Event::SimulatedTimeSystem time_system; + // 2033-05-18 03:33:20 UTC + const time_t known_date_time = 2000000000; + time_system.setSystemTime(std::chrono::system_clock::from_time_t(known_date_time)); + + initialize(TestEnvironment::substitute(R"EOF( +name: envoy.tls.cert_validator.spiffe +typed_config: + "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig + trust_domains: + - name: example.com + trust_bundle: + filename: "{{ test_rundir }}/test/extensions/transport_sockets/tls/test_data/spiffe_san_cert.pem" + )EOF"), + time_system); + + EXPECT_EQ(absl::nullopt, validator().daysUntilFirstCertExpires()); } TEST_F(TestSPIFFEValidator, TestAddClientValidationContext) { diff --git a/test/extensions/transport_sockets/tls/context_impl_test.cc b/test/extensions/transport_sockets/tls/context_impl_test.cc index 2aeca582863b5..ad13eac2f5fe9 100644 --- a/test/extensions/transport_sockets/tls/context_impl_test.cc +++ b/test/extensions/transport_sockets/tls/context_impl_test.cc @@ -153,7 +153,7 @@ TEST_F(SslContextImplTest, TestExpiringCert) { // Calculate the days until test cert expires auto cert_expiry = TestUtility::parseTime(TEST_UNITTEST_CERT_NOT_AFTER, "%b %d %H:%M:%S %Y GMT"); int64_t days_until_expiry = absl::ToInt64Hours(cert_expiry - absl::Now()) / 24; - EXPECT_EQ(context->daysUntilFirstCertExpires(), days_until_expiry); + EXPECT_EQ(context->daysUntilFirstCertExpires().value(), days_until_expiry); } TEST_F(SslContextImplTest, TestExpiredCert) { @@ -171,7 +171,7 @@ TEST_F(SslContextImplTest, TestExpiredCert) { ClientContextConfigImpl cfg(tls_context, factory_context_); Envoy::Ssl::ClientContextSharedPtr context(manager_.createSslClientContext(store_, cfg)); auto cleanup = cleanUpHelper(context); - EXPECT_EQ(0U, context->daysUntilFirstCertExpires()); + EXPECT_EQ(absl::nullopt, context->daysUntilFirstCertExpires()); } // Validate that when the context is updated, the daysUntilFirstCertExpires returns the current @@ -191,7 +191,7 @@ TEST_F(SslContextImplTest, TestContextUpdate) { TestUtility::loadFromYaml(TestEnvironment::substitute(expired_yaml), tls_context); ClientContextConfigImpl cfg(tls_context, factory_context_); Envoy::Ssl::ClientContextSharedPtr context(manager_.createSslClientContext(store_, cfg)); - EXPECT_EQ(manager_.daysUntilFirstCertExpires(), 0U); + EXPECT_EQ(manager_.daysUntilFirstCertExpires(), absl::nullopt); const std::string expiring_yaml = R"EOF( common_tls_context: @@ -215,8 +215,8 @@ TEST_F(SslContextImplTest, TestContextUpdate) { // context expiry. auto cert_expiry = TestUtility::parseTime(TEST_UNITTEST_CERT_NOT_AFTER, "%b %d %H:%M:%S %Y GMT"); int64_t days_until_expiry = absl::ToInt64Hours(cert_expiry - absl::Now()) / 24; - EXPECT_EQ(new_context->daysUntilFirstCertExpires(), days_until_expiry); - EXPECT_EQ(manager_.daysUntilFirstCertExpires(), days_until_expiry); + EXPECT_EQ(new_context->daysUntilFirstCertExpires().value(), days_until_expiry); + EXPECT_EQ(manager_.daysUntilFirstCertExpires().value(), days_until_expiry); // Update the context again and validate daysUntilFirstCertExpires still reflects the current // expiry. @@ -224,8 +224,8 @@ TEST_F(SslContextImplTest, TestContextUpdate) { manager_.removeContext(new_context); auto cleanup = cleanUpHelper(updated_context); - EXPECT_EQ(updated_context->daysUntilFirstCertExpires(), 0U); - EXPECT_EQ(manager_.daysUntilFirstCertExpires(), 0U); + EXPECT_EQ(updated_context->daysUntilFirstCertExpires(), absl::nullopt); + EXPECT_EQ(manager_.daysUntilFirstCertExpires(), absl::nullopt); } TEST_F(SslContextImplTest, TestGetCertInformation) { diff --git a/test/extensions/transport_sockets/tls/utility_test.cc b/test/extensions/transport_sockets/tls/utility_test.cc index b01d4a6e1d0fd..406240a7fcde7 100644 --- a/test/extensions/transport_sockets/tls/utility_test.cc +++ b/test/extensions/transport_sockets/tls/utility_test.cc @@ -1,3 +1,4 @@ +#include #include #include @@ -122,17 +123,13 @@ TEST(UtilityTest, TestDaysUntilExpiration) { Event::SimulatedTimeSystem time_source; time_source.setSystemTime(std::chrono::system_clock::from_time_t(known_date_time)); - // Get expiration time from the certificate info. - const absl::Time expiration = - TestUtility::parseTime(TEST_SAN_DNS_CERT_NOT_AFTER, "%b %e %H:%M:%S %Y GMT"); - - int days = std::difftime(absl::ToTimeT(expiration), known_date_time) / (60 * 60 * 24); - EXPECT_EQ(days, Utility::getDaysUntilExpiration(cert.get(), time_source)); + EXPECT_EQ(absl::nullopt, Utility::getDaysUntilExpiration(cert.get(), time_source)); } TEST(UtilityTest, TestDaysUntilExpirationWithNull) { Event::SimulatedTimeSystem time_source; - EXPECT_EQ(std::numeric_limits::max(), Utility::getDaysUntilExpiration(nullptr, time_source)); + EXPECT_EQ(std::numeric_limits::max(), + Utility::getDaysUntilExpiration(nullptr, time_source).value()); } TEST(UtilityTest, TestValidFrom) { diff --git a/test/mocks/ssl/mocks.h b/test/mocks/ssl/mocks.h index c518159144501..703a956012c9f 100644 --- a/test/mocks/ssl/mocks.h +++ b/test/mocks/ssl/mocks.h @@ -29,7 +29,7 @@ class MockContextManager : public ContextManager { MOCK_METHOD(ServerContextSharedPtr, createSslServerContext, (Stats::Scope & stats, const ServerContextConfig& config, const std::vector& server_names)); - MOCK_METHOD(size_t, daysUntilFirstCertExpires, (), (const)); + MOCK_METHOD(absl::optional, daysUntilFirstCertExpires, (), (const)); MOCK_METHOD(absl::optional, secondsUntilFirstOcspResponseExpires, (), (const)); MOCK_METHOD(void, iterateContexts, (std::function callback)); MOCK_METHOD(Ssl::PrivateKeyMethodManager&, privateKeyMethodManager, ()); @@ -70,7 +70,7 @@ class MockClientContext : public ClientContext { MockClientContext(); ~MockClientContext() override; - MOCK_METHOD(size_t, daysUntilFirstCertExpires, (), (const)); + MOCK_METHOD(absl::optional, daysUntilFirstCertExpires, (), (const)); MOCK_METHOD(absl::optional, secondsUntilFirstOcspResponseExpires, (), (const)); MOCK_METHOD(CertificateDetailsPtr, getCaCertInformation, (), (const)); MOCK_METHOD(std::vector, getCertChainInformation, (), (const)); diff --git a/test/server/ssl_context_manager_test.cc b/test/server/ssl_context_manager_test.cc index f25dba343ded2..34d86ecaeb10d 100644 --- a/test/server/ssl_context_manager_test.cc +++ b/test/server/ssl_context_manager_test.cc @@ -1,3 +1,5 @@ +#include + #include "source/server/ssl_context_manager.h" #include "test/mocks/ssl/mocks.h" @@ -21,7 +23,7 @@ TEST(SslContextManager, createStub) { Ssl::ContextManagerPtr manager = createContextManager("fake_factory_name", time_system); // Check we've created a stub, not real manager. - EXPECT_EQ(manager->daysUntilFirstCertExpires(), std::numeric_limits::max()); + EXPECT_EQ(manager->daysUntilFirstCertExpires().value(), std::numeric_limits::max()); EXPECT_EQ(manager->secondsUntilFirstOcspResponseExpires(), absl::nullopt); EXPECT_THROW_WITH_MESSAGE(manager->createSslClientContext(scope, client_config), EnvoyException, "SSL is not supported in this configuration");