nodece commented on issue #22125: URL: https://github.com/apache/pulsar/issues/22125#issuecomment-1994378432
> @nodece - just to confirm the scope of what u are thinking. Would this certificate monitor _**JUST**_ be checking the certificate provided by the client to auth? Or should it **also** check the expiry of the certificate used to setup the TLS transport, i.e. the `tlsCertificateFilePath` cert. This is the same thing. Please note that the client never sends an auth certificate, which from `javax.net.ssl.SSLSession#getPeerCertificates`. Therefore, your client needs to reconnect to the broker for refresh the certificate. > if the client certificate has expired - the client needs to make a new TCP connection (which will of course negotiate TLS again also). This is why my PoC PR is not optimal(?) This is correct. > Do u have any further tips / advice re fixing this? Could this be implemented similar to how `refreshAuthenticationCredentials` is scheduled in `ServerCnx`? If i could get some direction I could help tackle this bug. You can refer to the `authRefreshTask` in the `ServerCnx`, new a `peerCertExpireCheckTask` schedule take with fixd delay(The expiration time of the certificate minus the current time), when the certificate expires, you can disconnect this connection. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
