maulin-vasavada commented on a change in pull request #1027:
URL: https://github.com/apache/cassandra/pull/1027#discussion_r706315954
##########
File path: src/java/org/apache/cassandra/security/SSLFactory.java
##########
@@ -351,21 +182,58 @@ public static void
checkCertFilesForHotReloading(EncryptionOptions.ServerEncrypt
if (!isHotReloadingInitialized)
throw new IllegalStateException("Hot reloading functionality has
not been initialized.");
- logger.debug("Checking whether certificates have been updated {}",
hotReloadableFiles);
+ logger.debug("Checking whether certificates have been updated for
server {} and client {}",
+
serverOpts.sslContextFactoryInstance.getClass().getName(),
clientOpts.sslContextFactoryInstance.getClass().getName());
- if
(hotReloadableFiles.stream().anyMatch(HotReloadableFile::shouldReload))
+ if (serverOpts != null)
{
- logger.info("SSL certificates have been updated. Reseting the ssl
contexts for new connections.");
- try
+ checkCertFilesForHotReloading(serverOpts,
"server_encryption_options", true);
+ }
+ if (clientOpts != null)
+ {
+ checkCertFilesForHotReloading(clientOpts,
"client_encryption_options", clientOpts.require_client_auth);
+ }
+ }
+
+ private static void checkCertFilesForHotReloading(EncryptionOptions
options, String contextDescription,
+ boolean
verifyPeerCertificate)
+ {
+ try
+ {
+ if (options.sslContextFactoryInstance.shouldReload())
{
- validateSslCerts(serverOpts, clientOpts);
- cachedSslContexts.clear();
+ logger.info("SSL certificates have been updated for {}.
Resetting the ssl contexts for new " +
+ "connections.", options.getClass().getName());
+ validateSslContext(contextDescription, options,
verifyPeerCertificate, false);
+ clearSslContextCache(options);
}
- catch(Exception e)
+ }
+ catch(Exception e)
+ {
+ logger.error("Failed to hot reload the SSL Certificates! Please
check the certificate files.", e);
+ }
+ }
+
+ /**
+ * This clears the cache of Netty's SslContext objects for Client and
Server sockets. This is made publically
+ * available so that any {@link ISslContextFactory}'s implementation can
call this to handle any special scenario
+ * to invalidate the SslContext cache.
+ * This should be used with caution since the purpose of this cache is
save costly creation of Netty's SslContext
+ * objects and this essentially results in re-creating it.
+ */
+ public static void clearSslContextCache()
Review comment:
@jonmeredith I made the last round of changes for the SSLFactory based
on our prior conversations. Please review when you get a chance.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
