You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, if we remove the old certificate then add the new one, there's a gap during which TLS connections with those certificates won't work.
If we add the new certificate then remove the old one, then the adding part would replace the fingerprint in the trie with the new one, and the removing part would remove the new fingerprint from the trie (for all the domain names handled by the old certificate): https://github.com/sozu-proxy/sozu/blob/master/lib/src/network/tls.rs#L718-L720
proposal: store a Vec<CertFingerprint> as value in the trie. That way, when we add or remove, we edit the related vector. If we look up a name and the resulting vec has multiple entries, just take the first one, since it means the certificate is still valid.
The text was updated successfully, but these errors were encountered:
Geal
changed the title
replacing a certificat cannot work correctly
replacing a certificate cannot work correctly
Dec 29, 2017
certificates and their related information are stored in two parts:
fingerprint -> certificate
(and other info): https://github.com/sozu-proxy/sozu/blob/master/lib/src/network/tls.rs#L353domain name -> fingerprint
(to lookup the certificate from SNI usage): https://github.com/sozu-proxy/sozu/blob/master/lib/src/network/tls.rs#L351Currently, if we remove the old certificate then add the new one, there's a gap during which TLS connections with those certificates won't work.
If we add the new certificate then remove the old one, then the adding part would replace the fingerprint in the trie with the new one, and the removing part would remove the new fingerprint from the trie (for all the domain names handled by the old certificate): https://github.com/sozu-proxy/sozu/blob/master/lib/src/network/tls.rs#L718-L720
proposal: store a
Vec<CertFingerprint>
as value in the trie. That way, when we add or remove, we edit the related vector. If we look up a name and the resulting vec has multiple entries, just take the first one, since it means the certificate is still valid.The text was updated successfully, but these errors were encountered: