Cert hot-reloading
Jordan Brown
openssl at jordan.maileater.net
Mon Aug 31 16:46:32 UTC 2020
On 8/31/2020 6:29 AM, Karl Denninger wrote:
>
> I'm trying to figure out why you want to replace the context in an
> *existing* connection that is currently passing data rather than for
> new ones.
>
No, not for existing connections, just for new ones using the same context.
Note that I'm interested in the client case, not the server case - in
the list of trusted certificates set up with
SSL_CTX_load_verify_locations(). (Though the same issues, and maybe
more, would apply to a server that is verifying client certificates.)
The hypothetical application does something like:
ctx = set_up_ctx();
forever {
...
connection = new_connection(ctx);
...
close_connection(connection)
...
}
The application could certainly create the context before making each
connection, but probably doesn't - after all, the whole idea of contexts
is to make one and then use it over and over again.
It's been a very long time since I last really looked at this[*], but I
believe that I experimentally verified that simply deleting a
certificate from the file system was not enough to make future
connections refuse that certificate. *Adding* a certificate to the
directory works, because there's no negative caching, but *removing* one
doesn't work.
[*] Which tells you that although my purist sense says that it would
be nice to have and would improve correctness, customers aren't
lined up waiting for it.
--
Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20200831/31f07d6d/attachment.html>
More information about the openssl-users
mailing list