ywkaras opened a new issue, #9562: URL: https://github.com/apache/trafficserver/issues/9562
I'm running a test with this `ssl_multicert.config` file: ``` dest_ip = 0 ssl_cert_name=2050.crt ssl_key_name=private.key ``` The cert in 2050.crt expired in the year 2050. The steps of the test are: 1. Execute a `curl` that makes a TLS connection, but does not authenticate the received server cert, with verbose output enabled. 2. Use TSSslSecretSet()/TSSslSecretUpdate() to change the 2050.crt to one that is identical, except for expiring in 2060. 3. Repeat the same `curl` command. Here is the debug trace output with the debug regex `ssl`: https://gist.github.com/ywkaras/a7b511a290d62627be18ba301653944c The update of the cert can be seen starting a line 201. However, the expiration date in the verbose output in the second `curl` does not change. Presumably this means the new cert is not used. I notice that, in this function: https://github.com/apache/trafficserver/blob/de8e2439fdd4dc491bb7af512b8f8603a81a7be1/iocore/net/SSLNetVConnection.cc#L1129 getCTX() is only called in the client case, not the server case. Does this limit the cases where updates to secrets are actually used? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
