[gnutls-help] TLS-Server with Let’s Encrypt

Sam Varshavchik mrsam at courier-mta.com
Thu Aug 2 23:14:46 CEST 2018

Mario Lombardo writes:

> Hi gnutls team,
> I’m looking for a way how to use gnutls for a TLS server in combination with  
> Let’s Encrypt. As the validity of those certificates is just a couple of  
> weeks, I would like to replace the current server key by new ones without  
> restarting the server.
> The implementation is basically like this:
> // create credstore
> gnutls_certificate_allocate_credentials(&(ctx->tls_x509_cred));
> // load x509 key pair
> gtls_returncode = gnutls_certificate_set_x509_key_file(ctx->tls_x509_cred,  
> ctx->config->cert_bundle, ctx->config->key_file, GNUTLS_X509_FMT_PEM);
> // install signal handler
> signal(SIGUSR1, signal_handler);
> Once the signal SIGUSR1 arrives, I would like to re-read x509 stuff.
> The only solution I found (yet) is to free the credstore and allocate a new  
> one (then read new keys). This has some downsides, as the server is not  
> working anymore if there is something wrong with the key pair, because I  
> already freed the existing credstore (here ctx->tls_x509_cred). And even

Instead of gnutls_certificate_free_credentials() your old credential store  
first, and then gnutls_certificate_allocate_credentials() a new one and hope  
for the best, why don't you try gnutls_certificate_allocate_credentials()  
first, and if your endeavor succeeds you can free the old one, and replace  
it with the new one.

You are gnutls_certificate_free_credentials() your old credential store  
first, right? Because if this is all what you do, that's shown above, then  
you must be leaking memory.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20180802/b24f88ba/attachment.sig>

More information about the Gnutls-help mailing list