Change setting SSL_CERT_FILE to an empty file in /var/runtime (#1663)

normj · web-flow · commit 27f585a387de · 2024-01-26T12:39:13.000-08:00
diff --git a/LambdaRuntimeDockerfiles/Images/net8/amd64/Dockerfile b/LambdaRuntimeDockerfiles/Images/net8/amd64/Dockerfile
@@ -43,6 +43,7 @@ RUN apt-get update && apt-get install -y dos2unix
 RUN dos2unix /app/publish/bootstrap-al2023.sh && \
     mv /app/publish/bootstrap-al2023.sh /app/publish/bootstrap && \
     chmod +x /app/publish/bootstrap
+RUN touch /app/publish/empty-certificates.crt
 
 
 FROM base
diff --git a/LambdaRuntimeDockerfiles/Images/net8/arm64/Dockerfile b/LambdaRuntimeDockerfiles/Images/net8/arm64/Dockerfile
@@ -43,6 +43,7 @@ RUN apt-get update && apt-get install -y dos2unix
 RUN dos2unix /app/publish/bootstrap-al2023.sh && \
     mv /app/publish/bootstrap-al2023.sh /app/publish/bootstrap && \
     chmod +x /app/publish/bootstrap
+RUN touch /app/publish/empty-certificates.crt
 
 
 FROM base
diff --git a/Libraries/src/Amazon.Lambda.RuntimeSupport/bootstrap-al2023.sh b/Libraries/src/Amazon.Lambda.RuntimeSupport/bootstrap-al2023.sh
@@ -5,10 +5,10 @@
 # certs in the default cert directory which can be overriden by the SSL_CERT_DIR env var. On AL2023
 # The default cert bundle file, via symbolic links, resolves to being in a file under the default cert directory.
 # This means the default cert bundle file is double loaded causing a cold start performance hit. This logic
-# sets the SSL_CERT_FILE to a noop file if SSL_CERT_FILE hasn't been explicitly
+# sets the SSL_CERT_FILE to an empty file if SSL_CERT_FILE hasn't been explicitly
 # set. This avoid the double load of the default cert bundle file.
 if [ -z "${SSL_CERT_FILE}"]; then
-  export SSL_CERT_FILE="/tmp/noop"
+  export SSL_CERT_FILE="/var/runtime/empty-certificates.crt"
 fi
 
 # This script is used to locate 2 files in the /var/task folder, where the end-user assembly is located
