[ https://issues.apache.org/jira/browse/TINKERPOP-3146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17945676#comment-17945676 ]
ASF GitHub Bot commented on TINKERPOP-3146: ------------------------------------------- cdegroc commented on PR #3078: URL: https://github.com/apache/tinkerpop/pull/3078#issuecomment-2815499858 > It seems like this is the case, but I just wanted to confirm, the swapping is instant/atomic right? As in, theres no way for the SSL context to change during a handshake? That's my understanding, yes. [This section in the library's documentation](https://github.com/Hakky54/sslcontext-kickstart#reload-identity-and-trust-material) describes how the `SSLFactoryUtils#reload` call works at a high level ([code](https://github.com/Hakky54/sslcontext-kickstart/blob/2a9c251f96eaa1399312ded075761d1c377ad28f/sslcontext-kickstart/src/main/java/nl/altindag/ssl/util/SSLFactoryUtils.java#L39-L49)). Looking at the code, the underlying [KeyManager](https://github.com/Hakky54/sslcontext-kickstart/blob/2a9c251f96eaa1399312ded075761d1c377ad28f/sslcontext-kickstart/src/main/java/nl/altindag/ssl/keymanager/HotSwappableX509ExtendedKeyManager.java) (resp. [TrustManager](https://github.com/Hakky54/sslcontext-kickstart/blob/2a9c251f96eaa1399312ded075761d1c377ad28f/sslcontext-kickstart/src/main/java/nl/altindag/ssl/trustmanager/HotSwappableX509ExtendedTrustManager.java)) are swapped atomically (using locks), after which the existing `SSLSession`s are invalided, requiring a new handshake. > Support SSL Certificates Reloading > ---------------------------------- > > Key: TINKERPOP-3146 > URL: https://issues.apache.org/jira/browse/TINKERPOP-3146 > Project: TinkerPop > Issue Type: New Feature > Components: server > Reporter: Clément de Groc > Priority: Minor > > Gremlin Server supports SSL and allows loading KeyStore/TrustStore > certificate files on startup > ([1|https://github.com/apache/tinkerpop/blob/c4e48dee7a3c3942b4597c7a234adfc94b7d9c76/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/GremlinServer.java#L170], > > [2|https://github.com/apache/tinkerpop/blob/c4e48dee7a3c3942b4597c7a234adfc94b7d9c76/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/AbstractChannelizer.java#L133-L135]). > However, in some environments, certificate files are rotated frequently and > would need to be reloaded without disruption. This ticket aims to support > transparently hot reloading file certificates on modification. -- This message was sent by Atlassian Jira (v8.20.10#820010)