<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 8/31/2020 6:29 AM, Karl Denninger
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:ef6c8943-30c3-9b15-6492-651eb6a420e1@denninger.net">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p>I'm trying to figure out why you want to replace the context in
an *existing* connection that is currently passing data rather
than for new ones.</p>
</blockquote>
<br>
No, not for existing connections, just for new ones using the same
context.<br>
<br>
Note that I'm interested in the client case, not the server case -
in the list of trusted certificates set up with
SSL_CTX_load_verify_locations(). (Though the same issues, and maybe
more, would apply to a server that is verifying client
certificates.)<br>
<br>
The hypothetical application does something like:<br>
<br>
ctx = set_up_ctx();<br>
forever {<br>
...<br>
connection = new_connection(ctx);<br>
...<br>
close_connection(connection)<br>
...<br>
}<br>
<br>
The application could certainly create the context before making
each connection, but probably doesn't - after all, the whole idea of
contexts is to make one and then use it over and over again.<br>
<br>
It's been a very long time since I last really looked at this[*],
but I believe that I experimentally verified that simply deleting a
certificate from the file system was not enough to make future
connections refuse that certificate. *Adding* a certificate to the
directory works, because there's no negative caching, but *removing*
one doesn't work.<br>
<blockquote>[*] Which tells you that although my purist sense says
that it would be nice to have and would improve correctness,
customers aren't lined up waiting for it.<br>
</blockquote>
<pre class="moz-signature" cols="72">--
Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris</pre>
</body>
</html>