[openssl-users] Reload certificates?

Jordan Brown openssl at jordan.maileater.net
Wed May 18 17:58:10 UTC 2016 

On 5/18/2016 10:52 AM, Scott Neugroschl wrote:
>
> I believe that’s specific to the servers in question.  Often you can
> “restart” a server by giving it a SIGHUP.  I don’t know if slapd and
> slurpd will respond in the way you want.
>

I'm thinking more of long-running client applications.

Because the various software stacks with OpenSSL at their base can be
loaded into any number of client applications, it would be best if we
didn't have to track down all of the consumers and notify them that they
needed to recreate their SSL contexts.

(Plus there's the difficulty of getting those various consumers, some of
which may be externally-sourced software, to accept such a request.)

>  
>
> *From:*openssl-users [mailto:openssl-users-bounces at openssl.org] *On
> Behalf Of *Jordan Brown
> *Sent:* Wednesday, May 18, 2016 10:44 AM
> *To:* openssl-users at openssl.org
> *Subject:* [openssl-users] Reload certificates?
>
>  
>
> We have OpenSSL consumers (primarily but not exclusively OpenLDAP). 
> Some of them are long-running processes.
>
> We'd like to be able to update the list of trusted certificates and
> have the changes take effect, without needing to restart those
> long-running processes and preferably without needing to interact with
> them in any way.
>
> It *looks* like the "file" style of certificate store is loaded once
> only, at the time it's specified, and never reloaded again for the
> life of a particular SSL context.  Similarly, it looks like in the
> "directory" style of certificate store once a particular certificate
> has been loaded, it's never unloaded, even if the underlying file is
> deleted.  It looks like the only way to see changes (and especially
> deletions) is to create a new SSL context.  In addition to the
> difficulty of getting middleware to do that, it seems like the
> middleware would need to either watch the files and directories on its
> own, or always create new SSL contexts for new connections, or
> something else similarly intrusive.
>
> Is there something I'm missing?
>
> Would it be reasonable to have OpenSSL watch the metadata on the file
> or directory and, on change, discard cached certificates and, for a
> file, reload the file?
>
> -- 
>
> Jordan Brown, Oracle Solaris
>
>  
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160518/79dac898/attachment.html>

More information about the openssl-users mailing list