tyler.durden
/
icinga2
mirror of https://github.com/Icinga/icinga2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Implement support for reloading SSL certificates without a restart 

refs #5450
This commit is contained in:
Gunnar Beutner 2017-08-30 13:33:38 +02:00
parent 0ec07bce51
commit 192502f9e5
3 changed files with 16 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
lib/remote/apilistener.cpp
View File

@ -81,8 +81,15 @@ void ApiListener::OnConfigLoaded(void)
Log(LogInformation, "ApiListener")
<< "My API identity: " << GetIdentity();
UpdateSSLContext();
}
void ApiListener::UpdateSSLContext(void)
{
boost::shared_ptr<SSL_CTX> context;
try {
m_SSLContext = MakeSSLContext(GetCertPath(), GetKeyPath(), GetCaPath());
context = MakeSSLContext(GetCertPath(), GetKeyPath(), GetCaPath());
} catch (const std::exception&) {
BOOST_THROW_EXCEPTION(ScriptError("Cannot make SSL context for cert path: '"
+ GetCertPath() + "' key path: '" + GetKeyPath() + "' ca path: '" + GetCaPath() + "'.", GetDebugInfo()));
@ -90,7 +97,7 @@ void ApiListener::OnConfigLoaded(void)
if (!GetCrlPath().IsEmpty()) {
try {
AddCRLToSSLContext(m_SSLContext, GetCrlPath());
AddCRLToSSLContext(context, GetCrlPath());
} catch (const std::exception&) {
BOOST_THROW_EXCEPTION(ScriptError("Cannot add certificate revocation list to SSL context for crl path: '"
+ GetCrlPath() + "'.", GetDebugInfo()));
@ -99,7 +106,7 @@ void ApiListener::OnConfigLoaded(void)
if (!GetCipherList().IsEmpty()) {
try {
SetCipherListToSSLContext(m_SSLContext, GetCipherList());
SetCipherListToSSLContext(context, GetCipherList());
} catch (const std::exception&) {
BOOST_THROW_EXCEPTION(ScriptError("Cannot set cipher list to SSL context for cipher list: '"
+ GetCipherList() + "'.", GetDebugInfo()));
@ -108,11 +115,13 @@ void ApiListener::OnConfigLoaded(void)
if (!GetTlsProtocolmin().IsEmpty()){
try {
SetTlsProtocolminToSSLContext(m_SSLContext, GetTlsProtocolmin());
SetTlsProtocolminToSSLContext(context, GetTlsProtocolmin());
} catch (const std::exception&) {
BOOST_THROW_EXCEPTION(ScriptError("Cannot set minimum TLS protocol version to SSL context with tls_protocolmin: '" + GetTlsProtocolmin() + "'.", GetDebugInfo()));
}
}
m_SSLContext = context;
}
void ApiListener::OnAllConfigLoaded(void)
@ -184,11 +193,6 @@ ApiListener::Ptr ApiListener::GetInstance(void)
return m_Instance;
}
boost::shared_ptr<SSL_CTX> ApiListener::GetSSLContext(void) const
{
return m_SSLContext;
}
Endpoint::Ptr ApiListener::GetMaster(void) const
{
Zone::Ptr zone = Zone::GetLocalZone();

2
lib/remote/apilistener.hpp
View File

@ -61,7 +61,7 @@ public:
static ApiListener::Ptr GetInstance(void);
boost::shared_ptr<SSL_CTX> GetSSLContext(void) const;
void UpdateSSLContext(void);
Endpoint::Ptr GetMaster(void) const;
bool IsMaster(void) const;

3
lib/remote/jsonrpcconnection-pki.cpp
View File

@ -222,5 +222,6 @@ void JsonRpcConnection::CertificateRequestResponseHandler(const Dictionary::Ptr&
<< boost::errinfo_file_name(tempCertPath));
}
/* Update ApiListener's SSL_CTX */
Log(LogInformation, "JsonRpcConnection", "Updating the client certificate for the ApiListener object");
listener->UpdateSSLContext();
}