-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 10/26/17 12:07 PM, Mark Thomas wrote: > On 26 October 2017 14:36:03 BST, Christopher Schultz > <ch...@christopherschultz.net> wrote: >> Mark, >> >> On 10/26/17 8:54 AM, Mark Thomas wrote: >>> On 26/10/2017 09:31, Johan Compagner wrote: >>>> Hi, >>>> >>>> now with LetsCrypt its easy (and free) to get https up and >>>> running even if you just use tomcat But the problem is those >>>> certificate must be renewed every 3 months This is easy to do >>>> in a crontab script (that does the renew and makes a java >>>> keystore again) So i can generate the pfx constantly just >>>> fine >>>> >>>> But does tomcat monitor that file for changes and will it >>>> then use the new one without restarting the whole server? >>> >>> Currently, no. >>> >>> We have just added the ability to 9.0.x and 8.5.x to reload the >>> certificate file on the fly. >> >> Can you point me to some specific commits that implement that? >> I've been dragging my feet on the work to reload *everything* and >> if the cert-reloading has already been done, then it seems that >> most -- if not all -- the work I expected to do is already done. > > http://svn.apache.org/viewvc?view=revision&revision=1808482 > > Mark > >> >> One of the reasons I hadn't done it yet was because I wasn't >> sure about which of the many Tomcat components should warehouse >> that code... there are so many layers and I don't understand >> exactly which ones are responsible for what things. >> >> Do these patches include replacing the SSLContext, or only the >> key material that is being used for the handshake for an >> existing SSLContext ? > > It provides a new SSLContext that will be used for all new > connections. Thanks. So this is relying on the OpenSSLContext.finalize() method to clean-up after the native SSL context? It's been "recommended" to not rely on finalizers for quite a long time. Is that advice no longer correct? I'm particularly concerned about native memory leaks. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnyNM8dHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFh4Eg/+OJdiVLJp4XhPGvd4 kPvUmebwXez+f6JYFORqurxavbKk/i+4ttA9qls3iezxU/uABUY7LpUaHekFQK2m dvCHv9/A7tF3lti6vY46UUUzp0t/3eJCBYl5lyQ/HRvNfacfhfTckaAYe/+1BiqB Sj/75y5S5kV6tCJJMOiDIeitXhD/n8CzlJ6S4ReTVT9zuFNA0dShdH3LXeJJmQL3 RnWsxDZDkBDA9k3cH82tufJgCsez7GKDQBmitIlwNpf3Za4v4+QX4djDe0QdPjT8 WL62TaiDJvSjjIpR/j6eHxu6b7JO0orXyfT2LuiTQg7hPktCU+c1u2ePTUbx1NgF v0gBXIBlTydbykw5tNPhA5vTEl7fSms45Uf7SJJz+ET8RgeU6G7JsAaAHRe+KKor Xs8xMJMZyvz7SmW76pdkEVd8H+oYSUODbWVbLxMol3f7dZ7WqjsOt5jDoMHenzch 1A2168LQ3eZqSIRto00AnDVXUhEkIMLe6t9PKb+RGZ1CMEgvY3zqYtbkVIjbchf0 Q9GotkU/aSMLnEgJadY71HRhDGmZfDGx6PJZWG1BTQFHJO5al7hq8vxZhMBJPtiq KOrbl6ydVVkWxKNjSaN/UAS309SQCrxVv9BYOS54GU5wzrCqo58Y3tTxWdXpXQpD iSn0i2y+ujRDGFUeUdxuPqFkj3U= =xwUc -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org