ppkarwasz commented on PR #2767: URL: https://github.com/apache/logging-log4j2/pull/2767#issuecomment-2253286295
Reloading the cryptographic material alone does not solve the problem in [LOG4J2-2988](https://issues.apache.org/jira/browse/LOG4J2-2988): `SocketAppender` will not close a TLS socket if the `SslConfiguration` changes, even after a reconfiguration event. In fact two `SocketAppender`s that use the same host and port will share the same `SocketManager`. In order to establish a new TLS socket, we must: 1. Include some characteristic of `SslConfiguration` in the **name** of the `SocketManager` (e.g. the issuer and serial number of the client certificate), 2. Reload the TLS socket. The easiest way to do it is to trigger a Log4j Core reconfiguration. > 1. Add the `reloadInterval` property (of type `Duration`) to `SslConfiguration` I would have used `monitorInterval` if there was a way to check the last modification time of a `KeyStore`. However key stores are not necessarily file-based, so `reloadInterval` sounds good to me. > 2. Use `Configuration#getScheduler().schedule()` periodically update `SslConfiguration#sslContext` I think the scheduler could just call `LoggerContext.reconfigure()` if the serial number of the certificate in the `KeyStore` changed. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
