Hi Sam, thank you for your message. What about the existing sessions (gnutls_session_t)? Can I call gnutls_credentials_clear() once the handshake is finished and keep the connection for this session established? I believe it is not safe to gnutls_certificate_free_credentials() as long as there are sessions bound to this store, is it?
Or is there any other best practice? Can I set other credentials on an existing session (after handshake)? Thanks in advance. Mario > On 2. Aug 2018, at 23:14, Sam Varshavchik <[email protected]> wrote: > > Signed PGP part > Mario Lombardo writes: > >> Hi gnutls team, >> >> I’m looking for a way how to use gnutls for a TLS server in combination with >> Let’s Encrypt. As the validity of those certificates is just a couple of >> weeks, I would like to replace the current server key by new ones without >> restarting the server. >> >> The implementation is basically like this: >> // create credstore >> gnutls_certificate_allocate_credentials(&(ctx->tls_x509_cred)); >> // load x509 key pair >> gtls_returncode = gnutls_certificate_set_x509_key_file(ctx->tls_x509_cred, >> ctx->config->cert_bundle, ctx->config->key_file, GNUTLS_X509_FMT_PEM); >> // install signal handler >> signal(SIGUSR1, signal_handler); >> >> Once the signal SIGUSR1 arrives, I would like to re-read x509 stuff. >> >> The only solution I found (yet) is to free the credstore and allocate a new >> one (then read new keys). This has some downsides, as the server is not >> working anymore if there is something wrong with the key pair, because I >> already freed the existing credstore (here ctx->tls_x509_cred). And even > > Instead of gnutls_certificate_free_credentials() your old credential store > first, and then gnutls_certificate_allocate_credentials() a new one and hope > for the best, why don't you try gnutls_certificate_allocate_credentials() > first, and if your endeavor succeeds you can free the old one, and replace it > with the new one. > > You are gnutls_certificate_free_credentials() your old credential store > first, right? Because if this is all what you do, that's shown above, then > you must be leaking memory. > > >
_______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
