[openssl-users] Reload certificates?

Jakob Bohm jb-openssl at wisemo.com
Wed May 18 18:25:20 UTC 2016

On 18/05/2016 20:00, Jordan Brown wrote:
> On 5/18/2016 10:51 AM, Salz, Rich wrote:
>>> Would it be reasonable to have OpenSSL watch the metadata on the file or directory and, on change, discard cached certificates and, for a file, reload the file?
>> Unlikely to happen :)
> Are you saying that because nobody is interested in doing the 
> development work, or because there's some reason why it would be a bad 
> idea?
I am guessing this is because watching for file system
metadata changes is very OS specific and far outside the
small subset of OS functionality already abstracted by
the OS portability layers inside OpenSSL.

Perhaps a simpler solution would be if certificates
cached from the "CApath" mechanism would not be reused
beyond a time limit of e.g. 12 hours.

Similarly, for any self-loading mechanism, cached CRLs
should be reloaded at the earlier of e.g. 12 hours and
their "Not After" time.

Of cause mechanisms that load all the data (CAs, CRLs
etc.) at program startup cannot do reloads because that
would fail when chroot or other security mechanisms
disable the relevant access permission shortly after
program startup (to prevent a security-compromised
process from accessing / changing data it is not
supposed to change during normal operations).


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list