Implement support for reloading SSL certificates without a restart

refs #5450
2017-08-30 13:33:38 +02:00 · 2017-08-30 13:33:38 +02:00 · 192502f9e5
parent 0ec07bce51
commit 192502f9e5
3 changed files with 16 additions and 11 deletions
--- a/lib/remote/apilistener.cpp
+++ b/lib/remote/apilistener.cpp
@ -81,8 +81,15 @@ void ApiListener::OnConfigLoaded(void)
 	Log(LogInformation, "ApiListener")
 	    << "My API identity: " << GetIdentity();

+	UpdateSSLContext();
+}
+
+void ApiListener::UpdateSSLContext(void)
+{
+	boost::shared_ptr<SSL_CTX> context;
+
 	try {
-		m_SSLContext = MakeSSLContext(GetCertPath(), GetKeyPath(), GetCaPath());
+		context = MakeSSLContext(GetCertPath(), GetKeyPath(), GetCaPath());
 	} catch (const std::exception&) {
 		BOOST_THROW_EXCEPTION(ScriptError("Cannot make SSL context for cert path: '"
 		    + GetCertPath() + "' key path: '" + GetKeyPath() + "' ca path: '" + GetCaPath() + "'.", GetDebugInfo()));
@ -90,7 +97,7 @@ void ApiListener::OnConfigLoaded(void)

 	if (!GetCrlPath().IsEmpty()) {
 		try {
-			AddCRLToSSLContext(m_SSLContext, GetCrlPath());
+			AddCRLToSSLContext(context, GetCrlPath());
 		} catch (const std::exception&) {
 			BOOST_THROW_EXCEPTION(ScriptError("Cannot add certificate revocation list to SSL context for crl path: '"
 			    + GetCrlPath() + "'.", GetDebugInfo()));
@ -99,7 +106,7 @@ void ApiListener::OnConfigLoaded(void)

 	if (!GetCipherList().IsEmpty()) {
 		try {
-			SetCipherListToSSLContext(m_SSLContext, GetCipherList());
+			SetCipherListToSSLContext(context, GetCipherList());
 		} catch (const std::exception&) {
 			BOOST_THROW_EXCEPTION(ScriptError("Cannot set cipher list to SSL context for cipher list: '"
 			    + GetCipherList() + "'.", GetDebugInfo()));
@ -108,11 +115,13 @@ void ApiListener::OnConfigLoaded(void)

 	if (!GetTlsProtocolmin().IsEmpty()){
 		try {
-			SetTlsProtocolminToSSLContext(m_SSLContext, GetTlsProtocolmin());
+			SetTlsProtocolminToSSLContext(context, GetTlsProtocolmin());
 		} catch (const std::exception&) {
 			BOOST_THROW_EXCEPTION(ScriptError("Cannot set minimum TLS protocol version to SSL context with tls_protocolmin: '" + GetTlsProtocolmin() + "'.", GetDebugInfo()));
 		}
 	}
+
+	m_SSLContext = context;
 }

 void ApiListener::OnAllConfigLoaded(void)
@ -184,11 +193,6 @@ ApiListener::Ptr ApiListener::GetInstance(void)
 	return m_Instance;
 }

-boost::shared_ptr<SSL_CTX> ApiListener::GetSSLContext(void) const
-{
-	return m_SSLContext;
-}
-
 Endpoint::Ptr ApiListener::GetMaster(void) const
 {
 	Zone::Ptr zone = Zone::GetLocalZone();
--- a/lib/remote/apilistener.hpp
+++ b/lib/remote/apilistener.hpp
@ -61,7 +61,7 @@ public:

 	static ApiListener::Ptr GetInstance(void);

-	boost::shared_ptr<SSL_CTX> GetSSLContext(void) const;
+	void UpdateSSLContext(void);

 	Endpoint::Ptr GetMaster(void) const;
 	bool IsMaster(void) const;
--- a/lib/remote/jsonrpcconnection-pki.cpp
+++ b/lib/remote/jsonrpcconnection-pki.cpp
@ -222,5 +222,6 @@ void JsonRpcConnection::CertificateRequestResponseHandler(const Dictionary::Ptr&
 		    << boost::errinfo_file_name(tempCertPath));
 	}

-	/* Update ApiListener's SSL_CTX */
+	Log(LogInformation, "JsonRpcConnection", "Updating the client certificate for the ApiListener object");
+	listener->UpdateSSLContext();
 }