Certificate hot-reloading

[blaggacao]

I've spotted those threads on the topic:

• https://www.mail-archive.com/openssl-users@openssl.org/msg79444.html
• https://www.mail-archive.com/openssl-users@openssl.org/msg85740.html
• https://www.mail-archive.com/openssl-users@openssl.org/msg81582.html

SPIFFE — pars pro toto — are software solutions which implement extremely short lived certificates (on the time scale of 5 minutes expiry - by default).

It seems to be a trend in better securing workloads.

Therefore, I'd ask to implement a graceful hot-reload feature directly at the root of internet security leverage: here.

Zeyuan's approach atomically swapping the pointers seemed interesting, but was never heard of again?

Since we partly deal with long running processes downstream, besides of empowering short lived certificates practices, there is an argument to the amount of cache invalidation that are saved.

I haven't calculated the worlds consolidated saving in man hours (implementing "hacks" around cert reloading) and cache warm ups (compute time), but let's just say: it would be huge.

Can I have an official stance, or should I reverberate this back to the mailing list?

---

EDIT: I also posted a motion on the user mailing list. There is additional information there

• https://www.mail-archive.com/openssl-users@openssl.org/msg88596.html

[nhorman]

It seems SSL_CTX_get_cert_store/X509_STORE_up_ref/SSL_CTX_set1_cert_store does what you want.

Marking as inactive, to be closed at the end of 3.4 dev, barring further input