You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@trafficserver.apache.org by Zeyuan Yu <ze...@gmail.com> on 2019/02/21 19:13:03 UTC

[API Proposal] TSSslServerCertUpdate and TSSslClientCertUpdate

TSReturnCode TSSslClientCertUpdate(const char *path);
TSReturnCode TSSslServerCertUpdate(const char *path);

Currently, changes to certificates(server and client) in the Traffic Server
has to be done via a configuration reload. We have seen requests for a cert
hot reload feature and the APIs proposed here provides an interface for
plugins to update certificates used in Traffic Server.

TSSslClientCertUpdate and TSSslServerCertUpdate will only handle updated
files and return TS_SUCCESS on success updating/replacing certs in use. If
files are added, the configuration should also be updated and reloaded.

I've put up an initial PR (with an example plugin) for the implementation:
https://github.com/dyrock/trafficserver/pull/7
-- 
[image: work-eat-sleep--400090.jpg]

*Zeyuan Yu*
Software Development Engineer, Verizon Media Group

m: 217.369.5086

Re: [API Proposal] TSSslServerCertUpdate and TSSslClientCertUpdate

Posted by Alan Carroll <so...@verizonmedia.com.INVALID>.

>
> This requires the original file path to have already been loaded? Or just
> the certificate? What happens if the cert wasn't already loaded - that
> returns an error?
>
>

Re: [API Proposal] TSSslServerCertUpdate and TSSslClientCertUpdate

Posted by Zeyuan Yu <ze...@gmail.com>.

After discussion, TSSslClientCertUpdate should take two arguments instead
of just one since client contexts are stored in a map with keys comprising
of both cert and key.

TSReturnCode TSSslClientCertUpdate(const char *cert_path, const char
*key_path)

Zeyuan Yu <ze...@gmail.com>于2019年2月21日周四 下午1:13写道：

> TSReturnCode TSSslClientCertUpdate(const char *path);
> TSReturnCode TSSslServerCertUpdate(const char *path);
>
> Currently, changes to certificates(server and client) in the Traffic
> Server has to be done via a configuration reload. We have seen requests for
> a cert hot reload feature and the APIs proposed here provides an interface
> for plugins to update certificates used in Traffic Server.
>
> TSSslClientCertUpdate and TSSslServerCertUpdate will only handle updated
> files and return TS_SUCCESS on success updating/replacing certs in use. If
> files are added, the configuration should also be updated and reloaded.
>
> I've put up an initial PR (with an example plugin) for the implementation:
> https://github.com/dyrock/trafficserver/pull/7
> --
> [image: work-eat-sleep--400090.jpg]
>
> *Zeyuan Yu*
> Software Development Engineer, Verizon Media Group
>
> m: 217.369.5086 <(217)%20369-5086>
>
-- 
[image: work-eat-sleep--400090.jpg]

*Zeyuan Yu*
Software Development Engineer, Verizon Media Group

m: 217.369.5086