Mario Lombardo writes:
Hi gnutls team,I’m looking for a way how to use gnutls for a TLS server in combination with Let’s Encrypt. As the validity of those certificates is just a couple of weeks, I would like to replace the current server key by new ones without restarting the server.The implementation is basically like this: // create credstore gnutls_certificate_allocate_credentials(&(ctx->tls_x509_cred)); // load x509 key pairgtls_returncode = gnutls_certificate_set_x509_key_file(ctx->tls_x509_cred, ctx->config->cert_bundle, ctx->config->key_file, GNUTLS_X509_FMT_PEM);// install signal handler signal(SIGUSR1, signal_handler); Once the signal SIGUSR1 arrives, I would like to re-read x509 stuff.The only solution I found (yet) is to free the credstore and allocate a new one (then read new keys). This has some downsides, as the server is not working anymore if there is something wrong with the key pair, because I already freed the existing credstore (here ctx->tls_x509_cred). And even
Instead of gnutls_certificate_free_credentials() your old credential store first, and then gnutls_certificate_allocate_credentials() a new one and hope for the best, why don't you try gnutls_certificate_allocate_credentials() first, and if your endeavor succeeds you can free the old one, and replace it with the new one.
You are gnutls_certificate_free_credentials() your old credential store first, right? Because if this is all what you do, that's shown above, then you must be leaking memory.
pgp0bHYMrh4LX.pgp
Description: PGP signature
_______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
