cdegroc commented on PR #3078: URL: https://github.com/apache/tinkerpop/pull/3078#issuecomment-2815499858
> It seems like this is the case, but I just wanted to confirm, the swapping is instant/atomic right? As in, theres no way for the SSL context to change during a handshake? That's my understanding, yes. [This section in the library's documentation](https://github.com/Hakky54/sslcontext-kickstart#reload-identity-and-trust-material) describes how the `SSLFactoryUtils#reload` call works at a high level ([code](https://github.com/Hakky54/sslcontext-kickstart/blob/2a9c251f96eaa1399312ded075761d1c377ad28f/sslcontext-kickstart/src/main/java/nl/altindag/ssl/util/SSLFactoryUtils.java#L39-L49)). Looking at the code, the underlying [KeyManager](https://github.com/Hakky54/sslcontext-kickstart/blob/2a9c251f96eaa1399312ded075761d1c377ad28f/sslcontext-kickstart/src/main/java/nl/altindag/ssl/keymanager/HotSwappableX509ExtendedKeyManager.java) (resp. [TrustManager](https://github.com/Hakky54/sslcontext-kickstart/blob/2a9c251f96eaa1399312ded075761d1c377ad28f/sslcontext-kickstart/src/main/java/nl/altindag/ssl/trustmanager/HotSwappableX509ExtendedTrustManager.java)) are swapped atomically (using locks), after which the existing `SSLSession`s are invalided, requiring a n ew handshake. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
