date:20170525

Re: [openssl-users] certificate renewal without restarting processes

2017-05-25 Thread Viktor Dukhovni

> On May 25, 2017, at 10:28 AM, Salz, Rich via openssl-users 
>  wrote:
> 
>> It uses SSL_CTX_use_certificate_chain_file in some places and in other places
>> it uses PEM_read_bio_X509
>> 
>> When these APIs are used, can the OpenSSL stack detect updated files on
>> disk and reload them without any intervention from the application?
> 
> No, it's a load and use the current contents.
> 
> You can call them multiple times; the old content will be removed and new 
> content reloaded.

I doubt this is safe in multi-threaded applications.  The only way to
do this safely in that situation is to create a new SSL_CTX with the
new certificate chain, and arrange for *new* connections to use the new
context, while existing connections continue to use the old context.

It is possible to call SSL_CTX_free() on the old context even while
it is in use, since the object is reference counted and will be finally
freed by the last thread to release the object.  However, care is required
to avoid a race against new threads starting to still use the old context.
So some sort of memory barrier is needed to ensure that the only the new
context is used to start new connections before calling SSL_CTX_free() on
the old.  In practice you need some sort of lock that supports shared and
exclusive access around whatever structure encapsulates the updatable
SSL_CTX:

   worker thread:
acquire read lock
use current SSL_CTX to call SSL_new()
release read lock

   update thread:
acquire write lock:
SSL_CTX_free current context
set new context as current context
release write lock

-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL version 1.0.2l published

2017-05-25 Thread Dennis Clarke



So this is exclusively a change to support mingw64 ?

That seems to be all that is said here :

https://www.openssl.org/news/cl102.txt



 OpenSSL CHANGES
 ___

 Changes between 1.0.2l and 1.0.2m [xx XXX ]

  *)

 Changes between 1.0.2k and 1.0.2l [25 May 2017]

  *) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the 
target

 platform rather than 'mingw'.
 [Richard Levitte]


.
.
.


Dennis Clarke
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] certificate renewal without restarting processes

2017-05-25 Thread Salz, Rich via openssl-users

> It uses SSL_CTX_use_certificate_chain_file in some places and in other places
> it uses PEM_read_bio_X509
> 
> When these APIs are used, can the OpenSSL stack detect updated files on
> disk and reload them without any intervention from the application?

No, it's a load and use the current contents.

You can call them multiple times; the old content will be removed and new 
content reloaded.


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] certificate renewal without restarting processes

2017-05-25 Thread Daniel Pocock


Hi,

The reSIProcate project is using OpenSSL to load[1] certificates and
private keys.

It uses SSL_CTX_use_certificate_chain_file in some places and in other
places it uses PEM_read_bio_X509

When these APIs are used, can the OpenSSL stack detect updated files on
disk and reload them without any intervention from the application?

If not, is there any alternative API function that can do that?

If it can't be done within OpenSSL, what is the right way for the
application developer to go about it?  Can those methods simply be
called again when a file has been updated, or is any cleanup needed
before trying to load the new cert?

Regards,

Daniel



1.
https://github.com/resiprocate/resiprocate/blob/master/resip/stack/ssl/Security.cxx#L386
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL version 1.0.2l published

2017-05-25 Thread Patrick Mayweg



Qint Software GmbH
Marlene-Dietrich-Str.59
80636 München 
+49 172 8910563
Sitz: München HRB 117326
Geschäftsführer: Patrick Mayweg.

> On 25.05.2017, at 15:57, OpenSSL  wrote:
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> 
>   OpenSSL version 1.0.2l released
>   ===
> 
>   OpenSSL - The Open Source toolkit for SSL/TLS
>   https://www.openssl.org/
> 
>   The OpenSSL project team is pleased to announce the release of
>   version 1.0.2l of our open source toolkit for SSL/TLS. For details
>   of changes and known issues see the release notes at:
> 
>https://www.openssl.org/news/openssl-1.0.2-notes.html
> 
>   OpenSSL 1.0.2l is available for download via HTTP and FTP from the
>   following master locations (you can find the various FTP mirrors under
>   https://www.openssl.org/source/mirror.html):
> 
> * https://www.openssl.org/source/
> * ftp://ftp.openssl.org/source/
> 
>   The distribution file name is:
> 
>o openssl-1.0.2l.tar.gz
>  Size: 5365054
>  SHA1 checksum: b58d5d0e9cea20e571d903aafa853e2ccd914138
>  SHA256 checksum: 
> ce07195b659e75f4e1db43552860070061f156a98bb37b672b101ba6e3ddf30c
> 
>   The checksums were calculated using the following commands:
> 
>openssl sha1 openssl-1.0.2l.tar.gz
>openssl sha256 openssl-1.0.2l.tar.gz
> 
>   Yours,
> 
>   The OpenSSL Project Team.
> 
> -BEGIN PGP SIGNATURE-
> 
> iQEcBAEBCAAGBQJZJtRNAAoJENnE0m0OYESROsEIALuf8f97c3YgUOz+72Cqrd+x
> NEDBmDASsRuIlqkXSkN6CunLUb/FQtCMP1n7POsYMAdNqJz+1tOxwxS42j4qsoxj
> AdNjf7qn/B0Jhd1A6q6GGxO25tmZne3GEga76ya99+/FRMmUWk/QFdCkaNlRtqf+
> +6B3KLCAw/pOsGucS8FIk8Wlr1gR/VTiwlxY63ZhzQg941vVNaOsuz+CNWlTc1pW
> E06cEBnbkjo23LcZH3E07TWHJdDayfROsZTkOZ30uXXo4Xk/KK/Mk4lOAMd7UPMh
> gxt/jSNcIjf32sGsJRwydlUq7f4OjQQFkFmm8GDY6HgAyRyN4EKCfEWgrCqQs1w=
> =F+zf
> -END PGP SIGNATURE-
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] OpenSSL version 1.1.0f published

2017-05-25 Thread OpenSSL

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 1.1.0f released
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 1.1.0f of our open source toolkit for SSL/TLS. For details
   of changes and known issues see the release notes at:

https://www.openssl.org/news/openssl-1.1.0-notes.html

   OpenSSL 1.1.0f is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.1.0f.tar.gz
  Size: 5278176
  SHA1 checksum: 9e3e02bc8b4965477a7a1d33be1249299a9deb15
  SHA256 checksum: 
12f746f3f2493b2f39da7ecf63d7ee19c6ac9ec6a4fcd8c229da8a522cb12765

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.1.0f.tar.gz
openssl sha256 openssl-1.1.0f.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEcBAEBCAAGBQJZJtIgAAoJENnE0m0OYESRKjUH/RkGMsp/PM+PxHXgZ0K5nvYP
jbxfoun1iQ27NkFKs/HTueWl5EgVEH4w/qT1SSXUQ8DM/2YY7Z8fDFUh7Xrx5mEM
ud5q4pqbdDRjmF7HYMhbR1D6dvKjkOpHPV6OzD3iHg8ssUQNaZpvrn/1KCUZFxp+
tp/Mt9qAqlEAtFGo+qw7wIKa+8Do1y5L151HBk9jPSWIPPGnRzD8z+M0rbTD+bjx
t/1emoySoRcUjwkq7xqdBix08Sc69RT8ms8AVhINC8gcMdN93UKu4P4JN7qf2Cai
Krx1nkEYQJjp65WB0RGuLaZ0Bs80jJydknvTvFj3azeDfMLCjXg+GX1YSAh6R6k=
=fyH8
-END PGP SIGNATURE-
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] OpenSSL version 1.0.2l published

2017-05-25 Thread OpenSSL

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 1.0.2l released
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 1.0.2l of our open source toolkit for SSL/TLS. For details
   of changes and known issues see the release notes at:

https://www.openssl.org/news/openssl-1.0.2-notes.html

   OpenSSL 1.0.2l is available for download via HTTP and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-1.0.2l.tar.gz
  Size: 5365054
  SHA1 checksum: b58d5d0e9cea20e571d903aafa853e2ccd914138
  SHA256 checksum: 
ce07195b659e75f4e1db43552860070061f156a98bb37b672b101ba6e3ddf30c

   The checksums were calculated using the following commands:

openssl sha1 openssl-1.0.2l.tar.gz
openssl sha256 openssl-1.0.2l.tar.gz

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEcBAEBCAAGBQJZJtRNAAoJENnE0m0OYESROsEIALuf8f97c3YgUOz+72Cqrd+x
NEDBmDASsRuIlqkXSkN6CunLUb/FQtCMP1n7POsYMAdNqJz+1tOxwxS42j4qsoxj
AdNjf7qn/B0Jhd1A6q6GGxO25tmZne3GEga76ya99+/FRMmUWk/QFdCkaNlRtqf+
+6B3KLCAw/pOsGucS8FIk8Wlr1gR/VTiwlxY63ZhzQg941vVNaOsuz+CNWlTc1pW
E06cEBnbkjo23LcZH3E07TWHJdDayfROsZTkOZ30uXXo4Xk/KK/Mk4lOAMd7UPMh
gxt/jSNcIjf32sGsJRwydlUq7f4OjQQFkFmm8GDY6HgAyRyN4EKCfEWgrCqQs1w=
=F+zf
-END PGP SIGNATURE-
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] certificate renewal without restarting processes

Re: [openssl-users] OpenSSL version 1.0.2l published

Re: [openssl-users] certificate renewal without restarting processes

[openssl-users] certificate renewal without restarting processes

Re: [openssl-users] OpenSSL version 1.0.2l published

[openssl-users] OpenSSL version 1.1.0f published

[openssl-users] OpenSSL version 1.0.2l published

7 matches

Site Navigation

Mail list logo

Footer information