[gnutls-help] TLS-Server with Let’s Encrypt
Sam Varshavchik
mrsam at courier-mta.com
Thu Aug 2 23:14:46 CEST 2018
Mario Lombardo writes:
> Hi gnutls team,
>
> I’m looking for a way how to use gnutls for a TLS server in combination with
> Let’s Encrypt. As the validity of those certificates is just a couple of
> weeks, I would like to replace the current server key by new ones without
> restarting the server.
>
> The implementation is basically like this:
> // create credstore
> gnutls_certificate_allocate_credentials(&(ctx->tls_x509_cred));
> // load x509 key pair
> gtls_returncode = gnutls_certificate_set_x509_key_file(ctx->tls_x509_cred,
> ctx->config->cert_bundle, ctx->config->key_file, GNUTLS_X509_FMT_PEM);
> // install signal handler
> signal(SIGUSR1, signal_handler);
>
> Once the signal SIGUSR1 arrives, I would like to re-read x509 stuff.
>
> The only solution I found (yet) is to free the credstore and allocate a new
> one (then read new keys). This has some downsides, as the server is not
> working anymore if there is something wrong with the key pair, because I
> already freed the existing credstore (here ctx->tls_x509_cred). And even
Instead of gnutls_certificate_free_credentials() your old credential store
first, and then gnutls_certificate_allocate_credentials() a new one and hope
for the best, why don't you try gnutls_certificate_allocate_credentials()
first, and if your endeavor succeeds you can free the old one, and replace
it with the new one.
You are gnutls_certificate_free_credentials() your old credential store
first, right? Because if this is all what you do, that's shown above, then
you must be leaking memory.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20180802/b24f88ba/attachment.sig>
More information about the Gnutls-help
mailing list