On 8/31/2020 6:29 AM, Karl Denninger
wrote:
I'm trying to figure out why you want to replace the context in an *existing* connection that is currently passing data rather than for new ones.
No, not for existing connections, just for new ones using the same context.
Note that I'm interested in the client case, not the server case - in the list of trusted certificates set up with SSL_CTX_load_verify_locations(). (Though the same issues, and maybe more, would apply to a server that is verifying client certificates.)
The hypothetical application does something like:
ctx = set_up_ctx();
forever {
...
connection = new_connection(ctx);
...
close_connection(connection)
...
}
The application could certainly create the context before making each connection, but probably doesn't - after all, the whole idea of contexts is to make one and then use it over and over again.
It's been a very long time since I last really looked at this[*], but I believe that I experimentally verified that simply deleting a certificate from the file system was not enough to make future connections refuse that certificate. *Adding* a certificate to the directory works, because there's no negative caching, but *removing* one doesn't work.
[*] Which tells you that although my purist sense says that it would be nice to have and would improve correctness, customers aren't lined up waiting for it.
-- Jordan Brown, Oracle ZFS Storage Appliance, Oracle Solaris
