[XrdTls] The start of the CRLRefresh thread is now triggered in the c…

…onstructor of the XrdTlsContext class

A boolean flag has been added to the constructor and the Clone() method of the XrdTlsContext class.
If set to true, the TLS context created or cloned will run the CRLRefresh thread after having been succesfully initialized.

src/XrdHttp/XrdHttpProtocol.cc

@@ -1133,11 +1133,6 @@ int XrdHttpProtocol::Config(const char *ConfigFN, XrdOucEnv *myEnv) {
    eDest.Say("------ HTTPS initialization ", how);
    if (NoGo) return NoGo;
 
-// Turn on the refreshing
-//
-   if (!NoGo && xrdctx->x509Verify() && !(xrdctx->SetCrlRefresh()))
-      eDest.Say("Config warning: CRL refreshing could not be enabled!");
-
 // We can now load all the external handlers
 //
    if (LoadExtHandler(extHIVec, ConfigFN, *myEnv)) return 1;
@@ -1696,7 +1691,7 @@ bool XrdHttpProtocol::InitTLS() {
 //
    if (sslverifydepth > 255) sslverifydepth = 255;
    opts = TLS_SET_VDEPTH(opts, sslverifydepth);
-   xrdctx = new XrdTlsContext(sslcert,sslkey,sslcadir,sslcafile,opts,&eMsg);
+   xrdctx = new XrdTlsContext(sslcert,sslkey,sslcadir,sslcafile,opts,&eMsg,true);
 
 // Make sure the context was created
 //

src/XrdTls/XrdTlsContext.cc

@@ -540,7 +540,7 @@ int VerCB(int aOK, X509_STORE_CTX *x509P)
 
 XrdTlsContext::XrdTlsContext(const char *cert,  const char *key,
                              const char *caDir, const char *caFile,
-                             uint64_t opts, std::string *eMsg)
+                             uint64_t opts, std::string *eMsg,const bool startCRLRefreshThread)
                             : pImpl( new XrdTlsContextImpl(this) )
 {
    class ctx_helper
@@ -724,8 +724,11 @@ XrdTlsContext::XrdTlsContext(const char *cert,  const char *key,
    if (SSL_CTX_check_private_key(pImpl->ctx) != 1 )
       FATAL_SSL("Unable to create TLS context; cert-key mismatch.");
 
-// All went well, so keep the context.
+// All went well, start the CRL refresh thread and keep the context.
 //
+   if(startCRLRefreshThread) {
+       SetCrlRefresh();
+   }
    ctx_tracker.Keep();
 }
 
@@ -749,7 +752,7 @@ XrdTlsContext::~XrdTlsContext()
 /*                                 C l o n e                                  */
 /******************************************************************************/
 
-XrdTlsContext *XrdTlsContext::Clone(bool full)
+XrdTlsContext *XrdTlsContext::Clone(bool full,bool startCRLRefresh)
 {
   XrdTlsContext::CTX_Params &my = pImpl->Parm;
   const char *cert = (my.cert.size()   ? my.cert.c_str()   : 0);
@@ -763,7 +766,7 @@ XrdTlsContext *XrdTlsContext::Clone(bool full)
 
 // Cloning simply means getting a object with the old parameters.
 //
-   XrdTlsContext *xtc = new XrdTlsContext(cert, pkey, caD, caF, my.opts);
+   XrdTlsContext *xtc = new XrdTlsContext(cert, pkey, caD, caF, my.opts,nullptr,startCRLRefresh);
 
 // Verify that the context was built
 //

src/XrdTls/XrdTlsContext.hh

@@ -52,7 +52,7 @@ public:
 //!       the session cache is set to off with no identifier.
 //------------------------------------------------------------------------
 
-XrdTlsContext *Clone(bool full=true);
+XrdTlsContext *Clone(bool full=true, bool startCRLRefresh = false);
 
 //------------------------------------------------------------------------
 //! Get the underlying context (should not be used).
@@ -238,7 +238,7 @@ static const uint64_t artON = 0x0000002000000000; //!< Auto retry Handshake
 
        XrdTlsContext(const char *cert=0,  const char *key=0,
                      const char *cadir=0, const char *cafile=0,
-                     uint64_t opts=0, std::string *eMsg=0);
+                     uint64_t opts=0, std::string *eMsg=0,const bool startCRLRefreshThread = false);
 
 //------------------------------------------------------------------------
 //! Destructor

src/XrdXrootd/XrdXrootdConfig.cc

@@ -576,7 +576,7 @@ int XrdXrootdProtocol::Config(const char *ConfigFN)
 // context must be of the non-verified kind as we don't accept certs.
 //
    if (!NoGo && tlsCtx)
-      {tlsCtx = tlsCtx->Clone(false);
+      {tlsCtx = tlsCtx->Clone(false,true);
        if (!tlsCtx)
           {eDest.Say("Config failure: unable to setup TLS for protocol!");
            NoGo = 1;