[gnutls-help] TLS-Server with Let’s Encrypt

Mario Lombardo ml at tocario.com
Fri Aug 3 12:14:36 CEST 2018 

Hi Sam,

thank you for your message. What about the existing sessions (gnutls_session_t)? Can I call gnutls_credentials_clear() once the handshake is finished and keep the connection for this session established? I believe it is not safe to gnutls_certificate_free_credentials() as long as there are sessions bound to this store, is it?

Or is there any other best practice? Can I set other credentials on an existing session (after handshake)?

Thanks in advance.

Mario

> On 2. Aug 2018, at 23:14, Sam Varshavchik <mrsam at courier-mta.com> wrote:
> 
> Signed PGP part
> Mario Lombardo writes:
> 
>> Hi gnutls team,
>> 
>> I’m looking for a way how to use gnutls for a TLS server in combination with Let’s Encrypt. As the validity of those certificates is just a couple of weeks, I would like to replace the current server key by new ones without restarting the server.
>> 
>> The implementation is basically like this:
>> // create credstore
>> gnutls_certificate_allocate_credentials(&(ctx->tls_x509_cred));
>> // load x509 key pair
>> gtls_returncode = gnutls_certificate_set_x509_key_file(ctx->tls_x509_cred, ctx->config->cert_bundle, ctx->config->key_file, GNUTLS_X509_FMT_PEM);
>> // install signal handler
>> signal(SIGUSR1, signal_handler);
>> 
>> Once the signal SIGUSR1 arrives, I would like to re-read x509 stuff.
>> 
>> The only solution I found (yet) is to free the credstore and allocate a new one (then read new keys). This has some downsides, as the server is not working anymore if there is something wrong with the key pair, because I already freed the existing credstore (here ctx->tls_x509_cred). And even
> 
> Instead of gnutls_certificate_free_credentials() your old credential store first, and then gnutls_certificate_allocate_credentials() a new one and hope for the best, why don't you try gnutls_certificate_allocate_credentials() first, and if your endeavor succeeds you can free the old one, and replace it with the new one.
> 
> You are gnutls_certificate_free_credentials() your old credential store first, right? Because if this is all what you do, that's shown above, then you must be leaking memory.
> 
> 
> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20180803/410fe1f8/attachment.html>

More information about the Gnutls-help mailing list