Re: [openssl-users] Reload certificates?

2016-05-18 Thread Jakob Bohm

On 18/05/2016 20:00, Jordan Brown wrote:

On 5/18/2016 10:51 AM, Salz, Rich wrote:

Would it be reasonable to have OpenSSL watch the metadata on the file or 
directory and, on change, discard cached certificates and, for a file, reload 
the file?

Unlikely to happen :)


Are you saying that because nobody is interested in doing the 
development work, or because there's some reason why it would be a bad 
idea?



I am guessing this is because watching for file system
metadata changes is very OS specific and far outside the
small subset of OS functionality already abstracted by
the OS portability layers inside OpenSSL.

Perhaps a simpler solution would be if certificates
cached from the "CApath" mechanism would not be reused
beyond a time limit of e.g. 12 hours.

Similarly, for any self-loading mechanism, cached CRLs
should be reloaded at the earlier of e.g. 12 hours and
their "Not After" time.

Of cause mechanisms that load all the data (CAs, CRLs
etc.) at program startup cannot do reloads because that
would fail when chroot or other security mechanisms
disable the relevant access permission shortly after
program startup (to prevent a security-compromised
process from accessing / changing data it is not
supposed to change during normal operations).

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Reload certificates?

2016-05-18 Thread Richard Könning

On 18.05.2016 19:51, Salz, Rich wrote:

Is there something I'm missing?

Nope.


From the description of SSL_CTX_load_verify_locations i would have 
expected that certificates loaded via the CApath mechanism are loaded 
anew for every verification process. If this is not the case an 
appropriate note in that description would be very nice.

Ciao,
Richard
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Reload certificates?

2016-05-18 Thread Jordan Brown
On 5/18/2016 10:51 AM, Salz, Rich wrote:
>> Would it be reasonable to have OpenSSL watch the metadata on the file or 
>> directory and, on change, discard cached certificates and, for a file, 
>> reload the file?
> Unlikely to happen :)

Are you saying that because nobody is interested in doing the
development work, or because there's some reason why it would be a bad idea?

-- 
Jordan Brown, Oracle Solaris

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Reload certificates?

2016-05-18 Thread Jordan Brown
On 5/18/2016 10:52 AM, Scott Neugroschl wrote:
>
> I believe that’s specific to the servers in question.  Often you can
> “restart” a server by giving it a SIGHUP.  I don’t know if slapd and
> slurpd will respond in the way you want.
>

I'm thinking more of long-running client applications.

Because the various software stacks with OpenSSL at their base can be
loaded into any number of client applications, it would be best if we
didn't have to track down all of the consumers and notify them that they
needed to recreate their SSL contexts.

(Plus there's the difficulty of getting those various consumers, some of
which may be externally-sourced software, to accept such a request.)

>  
>
> *From:*openssl-users [mailto:openssl-users-boun...@openssl.org] *On
> Behalf Of *Jordan Brown
> *Sent:* Wednesday, May 18, 2016 10:44 AM
> *To:* openssl-users@openssl.org
> *Subject:* [openssl-users] Reload certificates?
>
>  
>
> We have OpenSSL consumers (primarily but not exclusively OpenLDAP). 
> Some of them are long-running processes.
>
> We'd like to be able to update the list of trusted certificates and
> have the changes take effect, without needing to restart those
> long-running processes and preferably without needing to interact with
> them in any way.
>
> It *looks* like the "file" style of certificate store is loaded once
> only, at the time it's specified, and never reloaded again for the
> life of a particular SSL context.  Similarly, it looks like in the
> "directory" style of certificate store once a particular certificate
> has been loaded, it's never unloaded, even if the underlying file is
> deleted.  It looks like the only way to see changes (and especially
> deletions) is to create a new SSL context.  In addition to the
> difficulty of getting middleware to do that, it seems like the
> middleware would need to either watch the files and directories on its
> own, or always create new SSL contexts for new connections, or
> something else similarly intrusive.
>
> Is there something I'm missing?
>
> Would it be reasonable to have OpenSSL watch the metadata on the file
> or directory and, on change, discard cached certificates and, for a
> file, reload the file?
>
> -- 
>
> Jordan Brown, Oracle Solaris
>
>  
>
>
>

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Reload certificates?

2016-05-18 Thread Scott Neugroschl
I believe that's specific to the servers in question.  Often you can "restart" 
a server by giving it a SIGHUP.  I don't know if slapd and slurpd will respond 
in the way you want.


From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Jordan Brown
Sent: Wednesday, May 18, 2016 10:44 AM
To: openssl-users@openssl.org
Subject: [openssl-users] Reload certificates?


We have OpenSSL consumers (primarily but not exclusively OpenLDAP).  Some of 
them are long-running processes.

We'd like to be able to update the list of trusted certificates and have the 
changes take effect, without needing to restart those long-running processes 
and preferably without needing to interact with them in any way.

It *looks* like the "file" style of certificate store is loaded once only, at 
the time it's specified, and never reloaded again for the life of a particular 
SSL context.  Similarly, it looks like in the "directory" style of certificate 
store once a particular certificate has been loaded, it's never unloaded, even 
if the underlying file is deleted.  It looks like the only way to see changes 
(and especially deletions) is to create a new SSL context.  In addition to the 
difficulty of getting middleware to do that, it seems like the middleware would 
need to either watch the files and directories on its own, or always create new 
SSL contexts for new connections, or something else similarly intrusive.

Is there something I'm missing?

Would it be reasonable to have OpenSSL watch the metadata on the file or 
directory and, on change, discard cached certificates and, for a file, reload 
the file?

--

Jordan Brown, Oracle Solaris


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Re: [openssl-users] Reload certificates?

2016-05-18 Thread Salz, Rich
> Is there something I'm missing?

Nope.

> Would it be reasonable to have OpenSSL watch the metadata on the file or 
> directory and, on change, discard cached certificates and, for a file, reload 
> the file?

Unlikely to happen :)
-- 
Jordan Brown, Oracle Solaris

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


[openssl-users] Reload certificates?

2016-05-18 Thread Jordan Brown
We have OpenSSL consumers (primarily but not exclusively OpenLDAP). 
Some of them are long-running processes.

We'd like to be able to update the list of trusted certificates and have
the changes take effect, without needing to restart those long-running
processes and preferably without needing to interact with them in any way.

It *looks* like the "file" style of certificate store is loaded once
only, at the time it's specified, and never reloaded again for the life
of a particular SSL context.  Similarly, it looks like in the
"directory" style of certificate store once a particular certificate has
been loaded, it's never unloaded, even if the underlying file is
deleted.  It looks like the only way to see changes (and especially
deletions) is to create a new SSL context.  In addition to the
difficulty of getting middleware to do that, it seems like the
middleware would need to either watch the files and directories on its
own, or always create new SSL contexts for new connections, or something
else similarly intrusive.

Is there something I'm missing?

Would it be reasonable to have OpenSSL watch the metadata on the file or
directory and, on change, discard cached certificates and, for a file,
reload the file?

-- 

Jordan Brown, Oracle Solaris


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users