Re: [openssl-users] certificate renewal without restarting processes
> On May 25, 2017, at 10:28 AM, Salz, Rich via openssl-users >wrote: > >> It uses SSL_CTX_use_certificate_chain_file in some places and in other places >> it uses PEM_read_bio_X509 >> >> When these APIs are used, can the OpenSSL stack detect updated files on >> disk and reload them without any intervention from the application? > > No, it's a load and use the current contents. > > You can call them multiple times; the old content will be removed and new > content reloaded. I doubt this is safe in multi-threaded applications. The only way to do this safely in that situation is to create a new SSL_CTX with the new certificate chain, and arrange for *new* connections to use the new context, while existing connections continue to use the old context. It is possible to call SSL_CTX_free() on the old context even while it is in use, since the object is reference counted and will be finally freed by the last thread to release the object. However, care is required to avoid a race against new threads starting to still use the old context. So some sort of memory barrier is needed to ensure that the only the new context is used to start new connections before calling SSL_CTX_free() on the old. In practice you need some sort of lock that supports shared and exclusive access around whatever structure encapsulates the updatable SSL_CTX: worker thread: acquire read lock use current SSL_CTX to call SSL_new() release read lock update thread: acquire write lock: SSL_CTX_free current context set new context as current context release write lock -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL version 1.0.2l published
So this is exclusively a change to support mingw64 ? That seems to be all that is said here : https://www.openssl.org/news/cl102.txt OpenSSL CHANGES ___ Changes between 1.0.2l and 1.0.2m [xx XXX ] *) Changes between 1.0.2k and 1.0.2l [25 May 2017] *) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target platform rather than 'mingw'. [Richard Levitte] . . . Dennis Clarke -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] certificate renewal without restarting processes
> It uses SSL_CTX_use_certificate_chain_file in some places and in other places > it uses PEM_read_bio_X509 > > When these APIs are used, can the OpenSSL stack detect updated files on > disk and reload them without any intervention from the application? No, it's a load and use the current contents. You can call them multiple times; the old content will be removed and new content reloaded. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] certificate renewal without restarting processes
Hi, The reSIProcate project is using OpenSSL to load[1] certificates and private keys. It uses SSL_CTX_use_certificate_chain_file in some places and in other places it uses PEM_read_bio_X509 When these APIs are used, can the OpenSSL stack detect updated files on disk and reload them without any intervention from the application? If not, is there any alternative API function that can do that? If it can't be done within OpenSSL, what is the right way for the application developer to go about it? Can those methods simply be called again when a file has been updated, or is any cleanup needed before trying to load the new cert? Regards, Daniel 1. https://github.com/resiprocate/resiprocate/blob/master/resip/stack/ssl/Security.cxx#L386 -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL version 1.0.2l published
Qint Software GmbH Marlene-Dietrich-Str.59 80636 München +49 172 8910563 Sitz: München HRB 117326 Geschäftsführer: Patrick Mayweg. > On 25.05.2017, at 15:57, OpenSSLwrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > > OpenSSL version 1.0.2l released > === > > OpenSSL - The Open Source toolkit for SSL/TLS > https://www.openssl.org/ > > The OpenSSL project team is pleased to announce the release of > version 1.0.2l of our open source toolkit for SSL/TLS. For details > of changes and known issues see the release notes at: > >https://www.openssl.org/news/openssl-1.0.2-notes.html > > OpenSSL 1.0.2l is available for download via HTTP and FTP from the > following master locations (you can find the various FTP mirrors under > https://www.openssl.org/source/mirror.html): > > * https://www.openssl.org/source/ > * ftp://ftp.openssl.org/source/ > > The distribution file name is: > >o openssl-1.0.2l.tar.gz > Size: 5365054 > SHA1 checksum: b58d5d0e9cea20e571d903aafa853e2ccd914138 > SHA256 checksum: > ce07195b659e75f4e1db43552860070061f156a98bb37b672b101ba6e3ddf30c > > The checksums were calculated using the following commands: > >openssl sha1 openssl-1.0.2l.tar.gz >openssl sha256 openssl-1.0.2l.tar.gz > > Yours, > > The OpenSSL Project Team. > > -BEGIN PGP SIGNATURE- > > iQEcBAEBCAAGBQJZJtRNAAoJENnE0m0OYESROsEIALuf8f97c3YgUOz+72Cqrd+x > NEDBmDASsRuIlqkXSkN6CunLUb/FQtCMP1n7POsYMAdNqJz+1tOxwxS42j4qsoxj > AdNjf7qn/B0Jhd1A6q6GGxO25tmZne3GEga76ya99+/FRMmUWk/QFdCkaNlRtqf+ > +6B3KLCAw/pOsGucS8FIk8Wlr1gR/VTiwlxY63ZhzQg941vVNaOsuz+CNWlTc1pW > E06cEBnbkjo23LcZH3E07TWHJdDayfROsZTkOZ30uXXo4Xk/KK/Mk4lOAMd7UPMh > gxt/jSNcIjf32sGsJRwydlUq7f4OjQQFkFmm8GDY6HgAyRyN4EKCfEWgrCqQs1w= > =F+zf > -END PGP SIGNATURE- > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] OpenSSL version 1.1.0f published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 1.1.0f released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.1.0f of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.0-notes.html OpenSSL 1.1.0f is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.0f.tar.gz Size: 5278176 SHA1 checksum: 9e3e02bc8b4965477a7a1d33be1249299a9deb15 SHA256 checksum: 12f746f3f2493b2f39da7ecf63d7ee19c6ac9ec6a4fcd8c229da8a522cb12765 The checksums were calculated using the following commands: openssl sha1 openssl-1.1.0f.tar.gz openssl sha256 openssl-1.1.0f.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJZJtIgAAoJENnE0m0OYESRKjUH/RkGMsp/PM+PxHXgZ0K5nvYP jbxfoun1iQ27NkFKs/HTueWl5EgVEH4w/qT1SSXUQ8DM/2YY7Z8fDFUh7Xrx5mEM ud5q4pqbdDRjmF7HYMhbR1D6dvKjkOpHPV6OzD3iHg8ssUQNaZpvrn/1KCUZFxp+ tp/Mt9qAqlEAtFGo+qw7wIKa+8Do1y5L151HBk9jPSWIPPGnRzD8z+M0rbTD+bjx t/1emoySoRcUjwkq7xqdBix08Sc69RT8ms8AVhINC8gcMdN93UKu4P4JN7qf2Cai Krx1nkEYQJjp65WB0RGuLaZ0Bs80jJydknvTvFj3azeDfMLCjXg+GX1YSAh6R6k= =fyH8 -END PGP SIGNATURE- -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] OpenSSL version 1.0.2l published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 OpenSSL version 1.0.2l released === OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.2l of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.0.2-notes.html OpenSSL 1.0.2l is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.2l.tar.gz Size: 5365054 SHA1 checksum: b58d5d0e9cea20e571d903aafa853e2ccd914138 SHA256 checksum: ce07195b659e75f4e1db43552860070061f156a98bb37b672b101ba6e3ddf30c The checksums were calculated using the following commands: openssl sha1 openssl-1.0.2l.tar.gz openssl sha256 openssl-1.0.2l.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- iQEcBAEBCAAGBQJZJtRNAAoJENnE0m0OYESROsEIALuf8f97c3YgUOz+72Cqrd+x NEDBmDASsRuIlqkXSkN6CunLUb/FQtCMP1n7POsYMAdNqJz+1tOxwxS42j4qsoxj AdNjf7qn/B0Jhd1A6q6GGxO25tmZne3GEga76ya99+/FRMmUWk/QFdCkaNlRtqf+ +6B3KLCAw/pOsGucS8FIk8Wlr1gR/VTiwlxY63ZhzQg941vVNaOsuz+CNWlTc1pW E06cEBnbkjo23LcZH3E07TWHJdDayfROsZTkOZ30uXXo4Xk/KK/Mk4lOAMd7UPMh gxt/jSNcIjf32sGsJRwydlUq7f4OjQQFkFmm8GDY6HgAyRyN4EKCfEWgrCqQs1w= =F+zf -END PGP SIGNATURE- -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users