Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: add ability to reload root certificates #41888

Open
dtoubelis opened this issue Oct 9, 2020 · 2 comments
Open

crypto/x509: add ability to reload root certificates #41888

dtoubelis opened this issue Oct 9, 2020 · 2 comments

Comments

@dtoubelis
Copy link

@dtoubelis dtoubelis commented Oct 9, 2020

Problem description:

As it can be seen on this line, root certificates loaded only once during the lifetime of the application -

once.Do(initSystemRoots)

This creates a problem when new root certificates are added. In our case, it happens on a regular basis when clients add intermediate/root certificates to the system via a separate component and then all other components that run in separate processes are expected to make use of them. This is currently not possible.

Workaround:

We are currently re-implemented Root Certificate loading logic by cutting and pasting the code from this library into our codebase and create our own certPool() for every request that requires the ca-chain refresh.

Proposed solutions:

  1. Add ReloadRootCertificates() call and call it as needed - backward compatible but still the source of gotchas.
  2. Do not use the global state and singleton and parse the certificate chain on each request - may have an unexpected performance impact.
  3. Make the method for creating the root certificate pool public.
  4. Add root certificate cache expiry timeout that can go all the way to 0 triggering cert chain reload on each request.
@dtoubelis
Copy link
Author

@dtoubelis dtoubelis commented Oct 9, 2020

Related to #35887

@ALTree ALTree changed the title Need an ability to reload root certificates crypto/x509: add ability to reload root certificates Oct 12, 2020
@ALTree
Copy link
Member

@ALTree ALTree commented Oct 12, 2020

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.