-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Question: What happens if SSL certs expire? #21
Comments
The answer all depends on how you implement Line 68 in a3f0249
net.Conn you pass to Line 37 in a3f0249
I will give some answers for the general case where you use the
The certificate is only validated on handshake. So the connection will keep working. Also certificates are renewed well before they expire, Let's Encrypt certificates are valid for 3 months and renewed after 2 months. (If you read the TLS spec the server or client can renegotiate at any time but I haven't seen this in the wild.)
The client will validate the certicate against the "parent" certificate in his CA store. These certificates are valid for a multiple years, and are usually updated by your operating system.
In that case you must periodically re-initialize Note that Let's Encrypt only works for server certificates. If you want to work with client verification you have to generate the client certificate yourself. At Storj we developed something called NodeID verification to communicate between the thousands of actors in our network which (I think) does both client and server verifcation through TLS certificates. I'm quite fond of it but it would be overkill for a small project. Implementation is at https://github.com/storj/common/blob/main/peertls/tlsopts/tls.go Hope this helps! |
Thanks so much for your thorough response, this answers all my questions. Awesome job on dRPC and Storj, both products look incredible :-). |
Planning on using dRPC and this package: https://pkg.go.dev/go.bryk.io/pkg/net/drpc - and trying to spec out whether SSL certs are a good idea for our system.
My concern is what happens when an SSL cert expires, or a certificate is changed (because a cert is due to expire shortly), and the client has an active connection to the dRPC server.
Will the client's connection be killed automatically? Will the client retrieve the new SSL certificate automatically?
I am planning on using Let'sEncrypt autocert to automatically renew certs without requiring a server restart.
Could anyone give any advice around this? Thanks.
The text was updated successfully, but these errors were encountered: