Hi gnutls team, I’m looking for a way how to use gnutls for a TLS server in combination with Let’s Encrypt. As the validity of those certificates is just a couple of weeks, I would like to replace the current server key by new ones without restarting the server.
The implementation is basically like this: // create credstore gnutls_certificate_allocate_credentials(&(ctx->tls_x509_cred)); // load x509 key pair gtls_returncode = gnutls_certificate_set_x509_key_file(ctx->tls_x509_cred, ctx->config->cert_bundle, ctx->config->key_file, GNUTLS_X509_FMT_PEM); // install signal handler signal(SIGUSR1, signal_handler); Once the signal SIGUSR1 arrives, I would like to re-read x509 stuff. The only solution I found (yet) is to free the credstore and allocate a new one (then read new keys). This has some downsides, as the server is not working anymore if there is something wrong with the key pair, because I already freed the existing credstore (here ctx->tls_x509_cred). And even this is the only way to proceed…do I need to block any incoming connections in the meantime? How long (in the process of the handshake) is blocking required (in other words: do I need to track if there are existing sockets in the handshake phase or is this safe as long as one handshake try for non-blocking sockets was done)? Is there any reference code/function to replace a key pair? I had a look into the apache2 module but as it seems, this module does not support a certificate change on reload. Any hints are welcome. Thank you. Mario _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
