[jira] [Commented] (TINKERPOP-3146) Support SSL Certificates Reloading

Tue, 29 Apr 2025 09:51:13 -0700 


    [ 
https://issues.apache.org/jira/browse/TINKERPOP-3146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17948220#comment-17948220
 ] 

ASF GitHub Bot commented on TINKERPOP-3146:
-------------------------------------------

andreachild commented on code in PR #3078:
URL: https://github.com/apache/tinkerpop/pull/3078#discussion_r2066964588


##########
gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/AbstractChannelizer.java:
##########
@@ -148,8 +146,32 @@ public void init(final ServerGremlinExecutor 
serverGremlinExecutor) {
         configureSerializers();
 
         // configure ssl if present
-        sslContext = settings.optionalSsl().isPresent() && 
settings.ssl.enabled ?
-                Optional.ofNullable(createSSLContext(settings)) : 
Optional.empty();
+        if (settings.optionalSsl().isPresent() && settings.ssl.enabled) {
+            if (settings.ssl.getSslContext().isPresent()) {
+                logger.info("Using the SslContext override");
+                this.sslContext = settings.ssl.getSslContext();
+            } else {
+                final SSLFactory sslFactory = 
createSSLFactoryBuilder(settings).withSwappableTrustMaterial().withSwappableIdentityMaterial().build();
+                this.sslContext = Optional.of(createSSLContext(sslFactory));
+
+                // Every minute, check if keyStore/trustStore were modified, 
and if they were,
+                // reload the SSLFactory which will reload the underlying 
KeyManager/TrustManager that Netty SSLHandler uses.
+                scheduledExecutorService.scheduleAtFixedRate(

Review Comment:
   Suggest to wrap the call to `scheduleAtFixedRate` inside an if check for 
`settings.ssl.refreshInterval <= 0` which would give the option of disabling 
hot reloading (previous behaviour).





> Support SSL Certificates Reloading
> ----------------------------------
>
>                 Key: TINKERPOP-3146
>                 URL: https://issues.apache.org/jira/browse/TINKERPOP-3146
>             Project: TinkerPop
>          Issue Type: New Feature
>          Components: server
>            Reporter: Clément de Groc
>            Priority: Minor
>
> Gremlin Server supports SSL and allows loading KeyStore/TrustStore 
> certificate files on startup 
> ([1|https://github.com/apache/tinkerpop/blob/c4e48dee7a3c3942b4597c7a234adfc94b7d9c76/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/GremlinServer.java#L170],
>  
> [2|https://github.com/apache/tinkerpop/blob/c4e48dee7a3c3942b4597c7a234adfc94b7d9c76/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/AbstractChannelizer.java#L133-L135]).
>  However, in some environments, certificate files are rotated frequently and 
> would need to be reloaded without disruption. This ticket aims to support 
> transparently hot reloading file certificates on modification.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to