Hi Sam,

thank you for your message. What about the existing sessions 
(gnutls_session_t)? Can I call gnutls_credentials_clear() once the handshake is 
finished and keep the connection for this session established? I believe it is 
not safe to gnutls_certificate_free_credentials() as long as there are sessions 
bound to this store, is it?

Or is there any other best practice? Can I set other credentials on an existing 
session (after handshake)?

Thanks in advance.

Mario

> On 2. Aug 2018, at 23:14, Sam Varshavchik <[email protected]> wrote:
> 
> Signed PGP part
> Mario Lombardo writes:
> 
>> Hi gnutls team,
>> 
>> I’m looking for a way how to use gnutls for a TLS server in combination with 
>> Let’s Encrypt. As the validity of those certificates is just a couple of 
>> weeks, I would like to replace the current server key by new ones without 
>> restarting the server.
>> 
>> The implementation is basically like this:
>> // create credstore
>> gnutls_certificate_allocate_credentials(&(ctx->tls_x509_cred));
>> // load x509 key pair
>> gtls_returncode = gnutls_certificate_set_x509_key_file(ctx->tls_x509_cred, 
>> ctx->config->cert_bundle, ctx->config->key_file, GNUTLS_X509_FMT_PEM);
>> // install signal handler
>> signal(SIGUSR1, signal_handler);
>> 
>> Once the signal SIGUSR1 arrives, I would like to re-read x509 stuff.
>> 
>> The only solution I found (yet) is to free the credstore and allocate a new 
>> one (then read new keys). This has some downsides, as the server is not 
>> working anymore if there is something wrong with the key pair, because I 
>> already freed the existing credstore (here ctx->tls_x509_cred). And even
> 
> Instead of gnutls_certificate_free_credentials() your old credential store 
> first, and then gnutls_certificate_allocate_credentials() a new one and hope 
> for the best, why don't you try gnutls_certificate_allocate_credentials() 
> first, and if your endeavor succeeds you can free the old one, and replace it 
> with the new one.
> 
> You are gnutls_certificate_free_credentials() your old credential store 
> first, right? Because if this is all what you do, that's shown above, then 
> you must be leaking memory.
> 
> 
> 


_______________________________________________
Gnutls-help mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnutls-help

Reply via email to