On 18/05/2016 20:00, Jordan Brown wrote:
On 5/18/2016 10:51 AM, Salz, Rich wrote:
Would it be reasonable to have OpenSSL watch the metadata on the file or
directory and, on change, discard cached certificates and, for a file, reload
the file?
Unlikely to happen :)
Are you saying that because nobody is interested in doing the
development work, or because there's some reason why it would be a bad
idea?
I am guessing this is because watching for file system
metadata changes is very OS specific and far outside the
small subset of OS functionality already abstracted by
the OS portability layers inside OpenSSL.
Perhaps a simpler solution would be if certificates
cached from the "CApath" mechanism would not be reused
beyond a time limit of e.g. 12 hours.
Similarly, for any self-loading mechanism, cached CRLs
should be reloaded at the earlier of e.g. 12 hours and
their "Not After" time.
Of cause mechanisms that load all the data (CAs, CRLs
etc.) at program startup cannot do reloads because that
would fail when chroot or other security mechanisms
disable the relevant access permission shortly after
program startup (to prevent a security-compromised
process from accessing / changing data it is not
supposed to change during normal operations).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users