Cert hot-reloading

Jordan Brown openssl at jordan.maileater.net
Mon Aug 31 16:46:32 UTC 2020

On 8/31/2020 6:29 AM, Karl Denninger wrote:
> I'm trying to figure out why you want to replace the context in an
> *existing* connection that is currently passing data rather than for
> new ones.

No, not for existing connections, just for new ones using the same context.

Note that I'm interested in the client case, not the server case - in
the list of trusted certificates set up with
SSL_CTX_load_verify_locations().  (Though the same issues, and maybe
more, would apply to a server that is verifying client certificates.)

The hypothetical application does something like:

ctx = set_up_ctx();
forever {
    connection = new_connection(ctx);

The application could certainly create the context before making each
connection, but probably doesn't - after all, the whole idea of contexts
is to make one and then use it over and over again.

It's been a very long time since I last really looked at this[*], but I
believe that I experimentally verified that simply deleting a
certificate from the file system was not enough to make future
connections refuse that certificate.  *Adding* a certificate to the
directory works, because there's no negative caching, but *removing* one
doesn't work.

    [*] Which tells you that although my purist sense says that it would
    be nice to have and would improve correctness, customers aren't
    lined up waiting for it.

Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20200831/31f07d6d/attachment.html>

More information about the openssl-users mailing list