diff --git a/src/XrdHttp/XrdHttpProtocol.cc b/src/XrdHttp/XrdHttpProtocol.cc index c0b3569f6c6..316e1419a65 100644 --- a/src/XrdHttp/XrdHttpProtocol.cc +++ b/src/XrdHttp/XrdHttpProtocol.cc @@ -1133,11 +1133,6 @@ int XrdHttpProtocol::Config(const char *ConfigFN, XrdOucEnv *myEnv) { eDest.Say("------ HTTPS initialization ", how); if (NoGo) return NoGo; -// Turn on the refreshing -// - if (!NoGo && xrdctx->x509Verify() && !(xrdctx->SetCrlRefresh())) - eDest.Say("Config warning: CRL refreshing could not be enabled!"); - // We can now load all the external handlers // if (LoadExtHandler(extHIVec, ConfigFN, *myEnv)) return 1; @@ -1696,7 +1691,7 @@ bool XrdHttpProtocol::InitTLS() { // if (sslverifydepth > 255) sslverifydepth = 255; opts = TLS_SET_VDEPTH(opts, sslverifydepth); - xrdctx = new XrdTlsContext(sslcert,sslkey,sslcadir,sslcafile,opts,&eMsg); + xrdctx = new XrdTlsContext(sslcert,sslkey,sslcadir,sslcafile,opts,&eMsg,true); // Make sure the context was created // diff --git a/src/XrdTls/XrdTlsContext.cc b/src/XrdTls/XrdTlsContext.cc index 5c2a8e2e88c..8c30689b9b3 100644 --- a/src/XrdTls/XrdTlsContext.cc +++ b/src/XrdTls/XrdTlsContext.cc @@ -540,7 +540,7 @@ int VerCB(int aOK, X509_STORE_CTX *x509P) XrdTlsContext::XrdTlsContext(const char *cert, const char *key, const char *caDir, const char *caFile, - uint64_t opts, std::string *eMsg) + uint64_t opts, std::string *eMsg,const bool startCRLRefreshThread) : pImpl( new XrdTlsContextImpl(this) ) { class ctx_helper @@ -724,8 +724,11 @@ XrdTlsContext::XrdTlsContext(const char *cert, const char *key, if (SSL_CTX_check_private_key(pImpl->ctx) != 1 ) FATAL_SSL("Unable to create TLS context; cert-key mismatch."); -// All went well, so keep the context. +// All went well, start the CRL refresh thread and keep the context. // + if(startCRLRefreshThread) { + SetCrlRefresh(); + } ctx_tracker.Keep(); } @@ -749,7 +752,7 @@ XrdTlsContext::~XrdTlsContext() /* C l o n e */ /******************************************************************************/ -XrdTlsContext *XrdTlsContext::Clone(bool full) +XrdTlsContext *XrdTlsContext::Clone(bool full,bool startCRLRefresh) { XrdTlsContext::CTX_Params &my = pImpl->Parm; const char *cert = (my.cert.size() ? my.cert.c_str() : 0); @@ -763,7 +766,7 @@ XrdTlsContext *XrdTlsContext::Clone(bool full) // Cloning simply means getting a object with the old parameters. // - XrdTlsContext *xtc = new XrdTlsContext(cert, pkey, caD, caF, my.opts); + XrdTlsContext *xtc = new XrdTlsContext(cert, pkey, caD, caF, my.opts,nullptr,startCRLRefresh); // Verify that the context was built // diff --git a/src/XrdTls/XrdTlsContext.hh b/src/XrdTls/XrdTlsContext.hh index 64ffcbcc9f1..d5e31b08f1c 100644 --- a/src/XrdTls/XrdTlsContext.hh +++ b/src/XrdTls/XrdTlsContext.hh @@ -52,7 +52,7 @@ public: //! the session cache is set to off with no identifier. //------------------------------------------------------------------------ -XrdTlsContext *Clone(bool full=true); +XrdTlsContext *Clone(bool full=true, bool startCRLRefresh = false); //------------------------------------------------------------------------ //! Get the underlying context (should not be used). @@ -238,7 +238,7 @@ static const uint64_t artON = 0x0000002000000000; //!< Auto retry Handshake XrdTlsContext(const char *cert=0, const char *key=0, const char *cadir=0, const char *cafile=0, - uint64_t opts=0, std::string *eMsg=0); + uint64_t opts=0, std::string *eMsg=0,const bool startCRLRefreshThread = false); //------------------------------------------------------------------------ //! Destructor diff --git a/src/XrdXrootd/XrdXrootdConfig.cc b/src/XrdXrootd/XrdXrootdConfig.cc index b0ee4b8089c..08746b24164 100644 --- a/src/XrdXrootd/XrdXrootdConfig.cc +++ b/src/XrdXrootd/XrdXrootdConfig.cc @@ -576,7 +576,7 @@ int XrdXrootdProtocol::Config(const char *ConfigFN) // context must be of the non-verified kind as we don't accept certs. // if (!NoGo && tlsCtx) - {tlsCtx = tlsCtx->Clone(false); + {tlsCtx = tlsCtx->Clone(false,true); if (!tlsCtx) {eDest.Say("Config failure: unable to setup TLS for protocol!"); NoGo = 1;