Cert hot-reloading

Jordan Brown openssl at jordan.maileater.net
Mon Aug 31 16:30:41 UTC 2020


On 8/30/2020 7:24 PM, David Arnold wrote:
> Hot-plugging the pointer seems to force atomicity considerations
> down-stream, which might be
> educationally a good thing for openssl to press for. It also addresses
> Jordan's use case, for however
> application specific it might be. For compat reasons, a "legacy" mode
> which creates a new context
> for *new* connections might be the necessary "bridge" into that
> transformation.

I haven't particularly thought about the implementation; that seemed
like Just Work.  There might need to be reference counts on the
structures involved so that they can be safely "freed" while they are in
active use by another thread.  Simply swapping out a pointer isn't going
to be enough because you can't know whether another thread already
picked up a copy of that pointer and so you can't know when you can free
the old structure.  As I think about it more, there might be a challenge
fitting such a mechanism into the existing functions.

-- 
Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20200831/fbdc504e/attachment.html>


More information about the openssl-users mailing list