-
Notifications
You must be signed in to change notification settings - Fork 18.3k
Open
Labels
FeatureRequestIssues asking for a new feature that does not need a proposal.Issues asking for a new feature that does not need a proposal.NeedsDecisionFeedback is required from experts, contributors, and/or the community before a change can be made.Feedback is required from experts, contributors, and/or the community before a change can be made.Proposal-CryptoProposal related to crypto packages or other security issuesProposal related to crypto packages or other security issues
Milestone
Description
Problem description:
As it can be seen on this line, root certificates loaded only once during the lifetime of the application -
Line 16 in 9e5b136
once.Do(initSystemRoots) |
This creates a problem when new root certificates are added. In our case, it happens on a regular basis when clients add intermediate/root certificates to the system via a separate component and then all other components that run in separate processes are expected to make use of them. This is currently not possible.
Workaround:
We are currently re-implemented Root Certificate loading logic by cutting and pasting the code from this library into our codebase and create our own certPool() for every request that requires the ca-chain refresh.
Proposed solutions:
- Add ReloadRootCertificates() call and call it as needed - backward compatible but still the source of gotchas.
- Do not use the global state and singleton and parse the certificate chain on each request - may have an unexpected performance impact.
- Make the method for creating the root certificate pool public.
- Add root certificate cache expiry timeout that can go all the way to 0 triggering cert chain reload on each request.
wishmaster-dk, jlundy2, antlad, litmustrace, panter-dsd and 16 more
Metadata
Metadata
Assignees
Labels
FeatureRequestIssues asking for a new feature that does not need a proposal.Issues asking for a new feature that does not need a proposal.NeedsDecisionFeedback is required from experts, contributors, and/or the community before a change can be made.Feedback is required from experts, contributors, and/or the community before a change can be made.Proposal-CryptoProposal related to crypto packages or other security issuesProposal related to crypto packages or other security issues