upstream: github.com/mirage/ca-certs
Sync from checkouts
+13
-1
+13
-1
lib/ca_certs.ml
+13
-1
lib/ca_certs.ml
···
171
171
Log.warn (fun m -> m "Ignored %u trust anchors." err_count);
172
172
tas
173
173
174
+
(* Domain-safe module-level cache for trust anchors to avoid repeated shell commands *)
175
+
let cached_trust_anchors : string option Atomic.t = Atomic.make None
176
+
177
+
let trust_anchors_cached () =
178
+
match Atomic.get cached_trust_anchors with
179
+
| Some data -> Ok data
180
+
| None ->
181
+
let* data = trust_anchors () in
182
+
(* CAS to avoid races - if another domain populated it, use theirs *)
183
+
ignore (Atomic.compare_and_set cached_trust_anchors None (Some data));
184
+
Ok data
185
+
174
186
let authenticator ?crls ?allowed_hashes () =
175
-
let* data = trust_anchors () in
187
+
let* data = trust_anchors_cached () in
176
188
match decode_pem_multiple data with
177
189
| [] -> Error (`Msg ("ca-certs: empty trust anchors.\n" ^ issue))
178
190
| cas ->