On 18/05/2016 20:00, Jordan Brown wrote: > On 5/18/2016 10:51 AM, Salz, Rich wrote: >>> Would it be reasonable to have OpenSSL watch the metadata on the file or directory and, on change, discard cached certificates and, for a file, reload the file? >> Unlikely to happen :) > > Are you saying that because nobody is interested in doing the > development work, or because there's some reason why it would be a bad > idea? > I am guessing this is because watching for file system metadata changes is very OS specific and far outside the small subset of OS functionality already abstracted by the OS portability layers inside OpenSSL. Perhaps a simpler solution would be if certificates cached from the "CApath" mechanism would not be reused beyond a time limit of e.g. 12 hours. Similarly, for any self-loading mechanism, cached CRLs should be reloaded at the earlier of e.g. 12 hours and their "Not After" time. Of cause mechanisms that load all the data (CAs, CRLs etc.) at program startup cannot do reloads because that would fail when chroot or other security mechanisms disable the relevant access permission shortly after program startup (to prevent a security-compromised process from accessing / changing data it is not supposed to change during normal operations). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
