[jira] [Commented] (TINKERPOP-3146) Support SSL Certificates Reloading

ASF GitHub Bot (Jira) Fri, 18 Apr 2025 07:08:02 -0700


    [ 
https://issues.apache.org/jira/browse/TINKERPOP-3146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17945676#comment-17945676
 ]


ASF GitHub Bot commented on TINKERPOP-3146:
-------------------------------------------

cdegroc commented on PR #3078:
URL: https://github.com/apache/tinkerpop/pull/3078#issuecomment-2815499858

   > It seems like this is the case, but I just wanted to confirm, the swapping 
is instant/atomic right? As in, theres no way for the SSL context to change 
during a handshake?
   
   That's my understanding, yes. [This section in the library's 
documentation](https://github.com/Hakky54/sslcontext-kickstart#reload-identity-and-trust-material)
 describes how the `SSLFactoryUtils#reload` call works at a high level 
([code](https://github.com/Hakky54/sslcontext-kickstart/blob/2a9c251f96eaa1399312ded075761d1c377ad28f/sslcontext-kickstart/src/main/java/nl/altindag/ssl/util/SSLFactoryUtils.java#L39-L49)).
 Looking at the code, the underlying 
[KeyManager](https://github.com/Hakky54/sslcontext-kickstart/blob/2a9c251f96eaa1399312ded075761d1c377ad28f/sslcontext-kickstart/src/main/java/nl/altindag/ssl/keymanager/HotSwappableX509ExtendedKeyManager.java)
 (resp. 
[TrustManager](https://github.com/Hakky54/sslcontext-kickstart/blob/2a9c251f96eaa1399312ded075761d1c377ad28f/sslcontext-kickstart/src/main/java/nl/altindag/ssl/trustmanager/HotSwappableX509ExtendedTrustManager.java))
 are swapped atomically (using locks), after which the existing `SSLSession`s 
are invalided, requiring a new handshake.




> Support SSL Certificates Reloading
> ----------------------------------
>
>                 Key: TINKERPOP-3146
>                 URL: https://issues.apache.org/jira/browse/TINKERPOP-3146
>             Project: TinkerPop
>          Issue Type: New Feature
>          Components: server
>            Reporter: Clément de Groc
>            Priority: Minor
>
> Gremlin Server supports SSL and allows loading KeyStore/TrustStore 
> certificate files on startup 
> ([1|https://github.com/apache/tinkerpop/blob/c4e48dee7a3c3942b4597c7a234adfc94b7d9c76/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/GremlinServer.java#L170],
>  
> [2|https://github.com/apache/tinkerpop/blob/c4e48dee7a3c3942b4597c7a234adfc94b7d9c76/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/AbstractChannelizer.java#L133-L135]).
>  However, in some environments, certificate files are rotated frequently and 
> would need to be reloaded without disruption. This ticket aims to support 
> transparently hot reloading file certificates on modification.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (TINKERPOP-3146) Support SSL Certificates Reloading

Reply via email to