diff --git a/src/XrdHttp/XrdHttpProtocol.cc b/src/XrdHttp/XrdHttpProtocol.cc index c0b3569f6c6..6a91139b34d 100644 --- a/src/XrdHttp/XrdHttpProtocol.cc +++ b/src/XrdHttp/XrdHttpProtocol.cc @@ -1133,11 +1133,6 @@ int XrdHttpProtocol::Config(const char *ConfigFN, XrdOucEnv *myEnv) { eDest.Say("------ HTTPS initialization ", how); if (NoGo) return NoGo; -// Turn on the refreshing -// - if (!NoGo && xrdctx->x509Verify() && !(xrdctx->SetCrlRefresh())) - eDest.Say("Config warning: CRL refreshing could not be enabled!"); - // We can now load all the external handlers // if (LoadExtHandler(extHIVec, ConfigFN, *myEnv)) return 1; @@ -1690,7 +1685,7 @@ bool XrdHttpProtocol::InitTLS() { std::string eMsg; uint64_t opts = XrdTlsContext::servr | XrdTlsContext::logVF | - XrdTlsContext::artON; + XrdTlsContext::artON | XrdTlsContext::scRefr; // Create a new TLS context // diff --git a/src/XrdTls/XrdTlsContext.cc b/src/XrdTls/XrdTlsContext.cc index 5c2a8e2e88c..e3a5853ddf0 100644 --- a/src/XrdTls/XrdTlsContext.cc +++ b/src/XrdTls/XrdTlsContext.cc @@ -724,8 +724,11 @@ XrdTlsContext::XrdTlsContext(const char *cert, const char *key, if (SSL_CTX_check_private_key(pImpl->ctx) != 1 ) FATAL_SSL("Unable to create TLS context; cert-key mismatch."); -// All went well, so keep the context. +// All went well, start the CRL refresh thread and keep the context. // + if(opts & scRefr) { + SetCrlRefresh(); + } ctx_tracker.Keep(); } @@ -749,7 +752,7 @@ XrdTlsContext::~XrdTlsContext() /* C l o n e */ /******************************************************************************/ -XrdTlsContext *XrdTlsContext::Clone(bool full) +XrdTlsContext *XrdTlsContext::Clone(bool full,bool startCRLRefresh) { XrdTlsContext::CTX_Params &my = pImpl->Parm; const char *cert = (my.cert.size() ? my.cert.c_str() : 0); @@ -763,7 +766,13 @@ XrdTlsContext *XrdTlsContext::Clone(bool full) // Cloning simply means getting a object with the old parameters. // - XrdTlsContext *xtc = new XrdTlsContext(cert, pkey, caD, caF, my.opts); + uint64_t myOpts = my.opts; + if(startCRLRefresh){ + myOpts |= XrdTlsContext::scRefr; + } else { + myOpts &= ~XrdTlsContext::scRefr; + } + XrdTlsContext *xtc = new XrdTlsContext(cert, pkey, caD, caF, myOpts,nullptr); // Verify that the context was built // diff --git a/src/XrdTls/XrdTlsContext.hh b/src/XrdTls/XrdTlsContext.hh index 64ffcbcc9f1..026a658fbb4 100644 --- a/src/XrdTls/XrdTlsContext.hh +++ b/src/XrdTls/XrdTlsContext.hh @@ -52,7 +52,7 @@ public: //! the session cache is set to off with no identifier. //------------------------------------------------------------------------ -XrdTlsContext *Clone(bool full=true); +XrdTlsContext *Clone(bool full=true, bool startCRLRefresh = false); //------------------------------------------------------------------------ //! Get the underlying context (should not be used). @@ -130,6 +130,7 @@ static const int scNone = 0x00000000; //!< Do not change any option settings static const int scOff = 0x00010000; //!< Turn off cache static const int scSrvr = 0x00020000; //!< Turn on cache server mode (default) static const int scClnt = 0x00040000; //!< Turn on cache client mode +static const int scRefr = 0x20000000; //!< Turn on the CRL refresh thread static const int scKeep = 0x40000000; //!< Info: TLS-controlled flush disabled static const int scIdErr= 0x80000000; //!< Info: Id not set, is too long static const int scFMax = 0x00007fff; //!< Maximum flush interval in seconds diff --git a/src/XrdXrootd/XrdXrootdConfig.cc b/src/XrdXrootd/XrdXrootdConfig.cc index b0ee4b8089c..08746b24164 100644 --- a/src/XrdXrootd/XrdXrootdConfig.cc +++ b/src/XrdXrootd/XrdXrootdConfig.cc @@ -576,7 +576,7 @@ int XrdXrootdProtocol::Config(const char *ConfigFN) // context must be of the non-verified kind as we don't accept certs. // if (!NoGo && tlsCtx) - {tlsCtx = tlsCtx->Clone(false); + {tlsCtx = tlsCtx->Clone(false,true); if (!tlsCtx) {eDest.Say("Config failure: unable to setup TLS for protocol!"); NoGo = 1;