Mario Lombardo
7 years ago
Hi gnutls team,
I’m looking for a way how to use gnutls for a TLS server in combination with Let’s Encrypt. As the validity of those certificates is just a couple of weeks, I would like to replace the current server key by new ones without restarting the server.
The implementation is basically like this:
// create credstore
gnutls_certificate_allocate_credentials(&(ctx->tls_x509_cred));
// load x509 key pair
gtls_returncode = gnutls_certificate_set_x509_key_file(ctx->tls_x509_cred, ctx->config->cert_bundle, ctx->config->key_file, GNUTLS_X509_FMT_PEM);
// install signal handler
signal(SIGUSR1, signal_handler);
Once the signal SIGUSR1 arrives, I would like to re-read x509 stuff.
The only solution I found (yet) is to free the credstore and allocate a new one (then read new keys). This has some downsides, as the server is not working anymore if there is something wrong with the key pair, because I already freed the existing credstore (here ctx->tls_x509_cred). And even this is the only way to proceed…do I need to block any incoming connections in the meantime? How long (in the process of the handshake) is blocking required (in other words: do I need to track if there are existing sockets in the handshake phase or is this safe as long as one handshake try for non-blocking sockets was done)?
Is there any reference code/function to replace a key pair? I had a look into the apache2 module but as it seems, this module does not support a certificate change on reload.
Any hints are welcome.
Thank you.
Mario
I’m looking for a way how to use gnutls for a TLS server in combination with Let’s Encrypt. As the validity of those certificates is just a couple of weeks, I would like to replace the current server key by new ones without restarting the server.
The implementation is basically like this:
// create credstore
gnutls_certificate_allocate_credentials(&(ctx->tls_x509_cred));
// load x509 key pair
gtls_returncode = gnutls_certificate_set_x509_key_file(ctx->tls_x509_cred, ctx->config->cert_bundle, ctx->config->key_file, GNUTLS_X509_FMT_PEM);
// install signal handler
signal(SIGUSR1, signal_handler);
Once the signal SIGUSR1 arrives, I would like to re-read x509 stuff.
The only solution I found (yet) is to free the credstore and allocate a new one (then read new keys). This has some downsides, as the server is not working anymore if there is something wrong with the key pair, because I already freed the existing credstore (here ctx->tls_x509_cred). And even this is the only way to proceed…do I need to block any incoming connections in the meantime? How long (in the process of the handshake) is blocking required (in other words: do I need to track if there are existing sockets in the handshake phase or is this safe as long as one handshake try for non-blocking sockets was done)?
Is there any reference code/function to replace a key pair? I had a look into the apache2 module but as it seems, this module does not support a certificate change on reload.
Any hints are welcome.
Thank you.
Mario