(PUP-894) Accept CRLs that were "recently" updated
Previously, the agent would reject an SSL connection if the CRL it
downloaded from the CA had a last_update time that was slightly in the
future. The agent reports this as "CRL is not yet valid." This issue can
happen when the CA's time is slightly ahead of the agent's time, the CRL
is recently updated, and the agent doesn't already have a cached version
of the CRL (due to PUP-2103).
The CRL not yet valid error sometimes happens during acceptance testing
when we delete the agent's ssl directory, revoke a cert on the master
(which updates the CRL's last_update field), and run the agent (which
downloads the latest CRL).
This commit modifies the verify callback to ignore CRL not yet valid
errors provided all of the following are true:
- current_crl is not nil
- current_crl.last_update is not nil
- current_crl.last_update is strictly less than 5 minutes from now
It also adds specs around unspecified behavior, e.g. ensure the verify
callback returns false when errors are detected.