Reload certificates?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



We have OpenSSL consumers (primarily but not exclusively OpenLDAP). 
Some of them are long-running processes.

We'd like to be able to update the list of trusted certificates and have
the changes take effect, without needing to restart those long-running
processes and preferably without needing to interact with them in any way.

It *looks* like the "file" style of certificate store is loaded once
only, at the time it's specified, and never reloaded again for the life
of a particular SSL context.  Similarly, it looks like in the
"directory" style of certificate store once a particular certificate has
been loaded, it's never unloaded, even if the underlying file is
deleted.  It looks like the only way to see changes (and especially
deletions) is to create a new SSL context.  In addition to the
difficulty of getting middleware to do that, it seems like the
middleware would need to either watch the files and directories on its
own, or always create new SSL contexts for new connections, or something
else similarly intrusive.

Is there something I'm missing?

Would it be reasonable to have OpenSSL watch the metadata on the file or
directory and, on change, discard cached certificates and, for a file,
reload the file?

-- 

Jordan Brown, Oracle Solaris


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160518/1e449f4d/attachment-0001.html>


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux