<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 5/18/2016 10:52 AM, Scott Neugroschl
wrote:<br>
</div>
<blockquote
cite="mid:D358E5B1511A314F8160ADC6F3754987343AA030@XYSVEX02.XYPRO-23.LOCAL"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
believe that’s specific to the servers in question. Often
you can “restart” a server by giving it a SIGHUP. I don’t
know if slapd and slurpd will respond in the way you want.</span></p>
</div>
</blockquote>
<br>
I'm thinking more of long-running client applications.<br>
<br>
Because the various software stacks with OpenSSL at their base can
be loaded into any number of client applications, it would be best
if we didn't have to track down all of the consumers and notify them
that they needed to recreate their SSL contexts.<br>
<br>
(Plus there's the difficulty of getting those various consumers,
some of which may be externally-sourced software, to accept such a
request.)<br>
<br>
<blockquote
cite="mid:D358E5B1511A314F8160ADC6F3754987343AA030@XYSVEX02.XYPRO-23.LOCAL"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
openssl-users [<a class="moz-txt-link-freetext" href="mailto:openssl-users-bounces@openssl.org">mailto:openssl-users-bounces@openssl.org</a>]
<b>On Behalf Of </b>Jordan Brown<br>
<b>Sent:</b> Wednesday, May 18, 2016 10:44 AM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a><br>
<b>Subject:</b> [openssl-users] Reload certificates?<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p>We have OpenSSL consumers (primarily but not exclusively
OpenLDAP). Some of them are long-running processes.<o:p></o:p></p>
<p>We'd like to be able to update the list of trusted
certificates and have the changes take effect, without needing
to restart those long-running processes and preferably without
needing to interact with them in any way.<o:p></o:p></p>
<p>It *looks* like the "file" style of certificate store is
loaded once only, at the time it's specified, and never
reloaded again for the life of a particular SSL context.
Similarly, it looks like in the "directory" style of
certificate store once a particular certificate has been
loaded, it's never unloaded, even if the underlying file is
deleted. It looks like the only way to see changes (and
especially deletions) is to create a new SSL context. In
addition to the difficulty of getting middleware to do that,
it seems like the middleware would need to either watch the
files and directories on its own, or always create new SSL
contexts for new connections, or something else similarly
intrusive.<o:p></o:p></p>
<p>Is there something I'm missing?<o:p></o:p></p>
<p>Would it be reasonable to have OpenSSL watch the metadata on
the file or directory and, on change, discard cached
certificates and, for a file, reload the file?<o:p></o:p></p>
<p>-- <o:p></o:p></p>
<p>Jordan Brown, Oracle Solaris<o:p></o:p></p>
<p><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<p><br>
</p>
</body>
</html>