Re: Cert hot-reloading

2020-08-30 Thread Kyle Hamilton
Could this be dealt with by the simple removal of any caching layer between an SSL_CTX and a directory processed by openssl c_rehash? Would reading the filesystem on every certificate verification be too heavy for your use case? On Sun, Aug 30, 2020 at 7:20 PM Jordan Brown wrote: > > Well, I can

Re: Cert hot-reloading

2020-08-30 Thread David Arnold
Should aspects of an implementation be configurable behavior with a sane default? I'd guess so... Hot-plugging the pointer seems to force atomicity considerations down-stream, which might be educationally a good thing for openssl to press for. It also addresses Jordan's use case, for however

Re: Cert hot-reloading

2020-08-30 Thread Kyle Hamilton
I'm not sure I can follow the "in all cases it's important to keep the key and cert in the same file" argument, particularly in line with openat() usage on the cert file after privilege to open the key file has been dropped. I agree that key/cert staleness is important to address in some manner,

Re: Cert hot-reloading

2020-08-30 Thread Jordan Brown
Well, I can restate the problem that I encountered. We deliver an integrated storage system.  Under the covers it is a modified Solaris running a usual collection of proprietary and open-source components.  We supply an administrative user interface that, among many other things, lets you manage

Re: Cert hot-reloading

2020-08-30 Thread Karl Denninger
On 8/30/2020 19:28, Viktor Dukhovni wrote: On Sun, Aug 30, 2020 at 05:45:41PM -0500, David Arnold wrote: If you prefer this mailing list over github issues, I still want to ask for comments on: Certificate hot-reloading #12753 Specifically,

Re: Cert hot-reloading

2020-08-30 Thread Viktor Dukhovni
On Sun, Aug 30, 2020 at 05:45:41PM -0500, David Arnold wrote: > If you prefer this mailing list over github issues, I still want to ask > for comments on: > > Certificate hot-reloading #12753 > > > Specifically, my impression is that this topic

Cert hot-reloading

2020-08-30 Thread David Arnold
Hi, If you prefer this mailing list over github issues, I still want to ask for comments on: Certificate hot-reloading #12753 Specifically, my impression is that this topic has died down a bit and from the linked mailing list threads, in my

ASN1 integer conversion - why is this correct ?

2020-08-30 Thread Dirk-Willem van Gulik
I am converting an unsigned integer (P,Q of an ECDSA 256 bit curve) from a 32 byte array (as provided by Microsoft its .NET cryptographic framework) to an ANS1_INTEGER. The steps taken are: unsigned char in[32] = .. r = BN_bin2bn(in, 32, NULL); BN_to_ASN1_INTEGER(r,