Project

General

Profile

Actions

Enhancement #758

open

Load new certificates on /BIP RELOAD / SIGHUP

Added by Loïc Gomez almost 2 years ago. Updated 12 days ago.

Status:
In Progress
Priority:
High
Assignee:
Target version:
Start date:
2022-03-15
Due date:
% Done:

100%

Estimated time:
Patch Available:
Yes
Found in Versions:
Confirmed:
Yes
Branch:
Security:
Help Needed:

Description

We need to find a way to re-read SSL cert/key for use with new client connections.
Most people probably use Let's Encrypt, which means they need to restart BIP every 3 months.

Actions #1

Updated by Pierre-Louis Bonicoli almost 2 years ago

ping

Actions #2

Updated by Loïc Gomez almost 2 years ago

  • Status changed from New to In Progress
Actions #3

Updated by Loïc Gomez almost 2 years ago

  • File 0001-Close-and-re-open-listening-socket-when-reloading-BI.patch added
  • Patch Available set to Yes

Well that was easier than expected.

This needs careful review, as I'm not 100% sure all I did was correct, like did I close/free all required, is there a cleaner solution ?

I also allowed bip to retry 3 times to listen() before going fatal() as there might be issues reusing the port for a few seconds. We use SO_REUSEADDR though, so it should be ok.

Tested changing port or cert and worked for me (/bip RELOAD or SIGHUP) ;)

Actions #4

Updated by Loïc Gomez almost 2 years ago

  • File deleted (0001-Close-and-re-open-listening-socket-when-reloading-BI.patch)
Actions #5

Updated by Loïc Gomez almost 2 years ago

  • File 0001-Close-and-re-open-listening-socket-when-reloading-BI.patch added

Forgot to lint.

Actions #6

Updated by Loïc Gomez almost 2 years ago

  • % Done changed from 0 to 100
Actions #7

Updated by Loïc Gomez 27 days ago

  • File deleted (0001-Close-and-re-open-listening-socket-when-reloading-BI.patch)
Actions #8

Updated by Loïc Gomez 27 days ago

  • Confirmed changed from No to Yes

This did not work/had bip crash last time I used it.
Maybe something changed preventing reuse of the socket, but then we don't need to close the listening socket to reload certs.
We actually should instead rebuild the SSL context that's been generated once and for all on first client connection.

Will fill in a Review issue for patches.

Actions #10

Updated by Loïc Gomez 27 days ago

  • Target version changed from 0.10.0 to 21
Actions #11

Updated by Loïc Gomez 12 days ago

  • Target version changed from 21 to 0.10.0
Actions

Also available in: Atom PDF