Support openssl cert hot reload (in approriate ways) #137
Comments
|
Copying over from the mailing list discussion that ensued, citing Viktor Dukhovni:
There is a point in it. Maybe this can be solved differently, but it is a thing. How would SPIFFE react to it - should it become the blessed way of hot reloading certificates? — your preliminary feedback would be interesting to feed back to the OpenSSL mailing list. |
|
If I understand correctly, you're asking for openssl to implement automatic hot-reload of certificates when files containing them are updated. Many existing applications load their certificates from the file system, and so I see the appeal of integrating SPIFFE using that mechanism. But, moving forward it would be better to avoid writing private keys to disk and instead have applications use the Workload API to directly load their keys and certificates. |
I totally agree, however, I'm not sure if OpenSSL want to support a young protocol just yet. I'll feed that back as alternative to the mailing list discussion. Thx! |
|
OpenSSL feels like a little too low level to be a consumer of the Workload API. I could however imagine a shim library that streams keypair updates back from the workload API and pushes them into SSL_CTX's (or otherwise makes them available to code creating SSL_CTX's). |
|
@azdagron that's along the lines of what I'm imagining as well. |
openssl/openssl#12753
Since this is the best available leverage and a silent but powerful enabler for wide-spread and hassle-free SPIFFE adoption, I would propose for involved people to support this motion in appropriate ways — I don't dare to suggest one of those ways at this point, but it might be wise to connect those discussions end-to-end through the entire software stack.
The text was updated successfully, but these errors were encountered: