> On May 25, 2017, at 10:28 AM, Salz, Rich via openssl-users <openssl-users@xxxxxxxxxxx> wrote: > >> It uses SSL_CTX_use_certificate_chain_file in some places and in other places >> it uses PEM_read_bio_X509 >> >> When these APIs are used, can the OpenSSL stack detect updated files on >> disk and reload them without any intervention from the application? > > No, it's a load and use the current contents. > > You can call them multiple times; the old content will be removed and new content reloaded. I doubt this is safe in multi-threaded applications. The only way to do this safely in that situation is to create a new SSL_CTX with the new certificate chain, and arrange for *new* connections to use the new context, while existing connections continue to use the old context. It is possible to call SSL_CTX_free() on the old context even while it is in use, since the object is reference counted and will be finally freed by the last thread to release the object. However, care is required to avoid a race against new threads starting to still use the old context. So some sort of memory barrier is needed to ensure that the only the new context is used to start new connections before calling SSL_CTX_free() on the old. In practice you need some sort of lock that supports shared and exclusive access around whatever structure encapsulates the updatable SSL_CTX: worker thread: acquire read lock use current SSL_CTX to call SSL_new() release read lock update thread: acquire write lock: SSL_CTX_free current context set new context as current context release write lock -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
