Re: certificate renewal without restarting processes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> On May 25, 2017, at 10:28 AM, Salz, Rich via openssl-users <openssl-users@xxxxxxxxxxx> wrote:
> 
>> It uses SSL_CTX_use_certificate_chain_file in some places and in other places
>> it uses PEM_read_bio_X509
>> 
>> When these APIs are used, can the OpenSSL stack detect updated files on
>> disk and reload them without any intervention from the application?
> 
> No, it's a load and use the current contents.
> 
> You can call them multiple times; the old content will be removed and new content reloaded.

I doubt this is safe in multi-threaded applications.  The only way to
do this safely in that situation is to create a new SSL_CTX with the
new certificate chain, and arrange for *new* connections to use the new
context, while existing connections continue to use the old context.

It is possible to call SSL_CTX_free() on the old context even while
it is in use, since the object is reference counted and will be finally
freed by the last thread to release the object.  However, care is required
to avoid a race against new threads starting to still use the old context.
So some sort of memory barrier is needed to ensure that the only the new
context is used to start new connections before calling SSL_CTX_free() on
the old.  In practice you need some sort of lock that supports shared and
exclusive access around whatever structure encapsulates the updatable
SSL_CTX:

   worker thread:
	acquire read lock
	use current SSL_CTX to call SSL_new()
	release read lock

   update thread:
	acquire write lock:
	SSL_CTX_free current context
	set new context as current context
	release write lock

-- 
	Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux