[openssl-users] certificate renewal without restarting processes

Viktor Dukhovni openssl-users at dukhovni.org
Thu May 25 16:14:44 UTC 2017

> On May 25, 2017, at 10:28 AM, Salz, Rich via openssl-users <openssl-users at openssl.org> wrote:
>> It uses SSL_CTX_use_certificate_chain_file in some places and in other places
>> it uses PEM_read_bio_X509
>> When these APIs are used, can the OpenSSL stack detect updated files on
>> disk and reload them without any intervention from the application?
> No, it's a load and use the current contents.
> You can call them multiple times; the old content will be removed and new content reloaded.

I doubt this is safe in multi-threaded applications.  The only way to
do this safely in that situation is to create a new SSL_CTX with the
new certificate chain, and arrange for *new* connections to use the new
context, while existing connections continue to use the old context.

It is possible to call SSL_CTX_free() on the old context even while
it is in use, since the object is reference counted and will be finally
freed by the last thread to release the object.  However, care is required
to avoid a race against new threads starting to still use the old context.
So some sort of memory barrier is needed to ensure that the only the new
context is used to start new connections before calling SSL_CTX_free() on
the old.  In practice you need some sort of lock that supports shared and
exclusive access around whatever structure encapsulates the updatable

   worker thread:
	acquire read lock
	use current SSL_CTX to call SSL_new()
	release read lock

   update thread:
	acquire write lock:
	SSL_CTX_free current context
	set new context as current context
	release write lock


More information about the openssl-users mailing list