Add updateCertChain to SSL ContextImpl#3765
Add updateCertChain to SSL ContextImpl#3765qiwzhang wants to merge 1 commit intoenvoyproxy:masterfrom
Conversation
Signed-off-by: Wayne Zhang <qiwzhang@google.com>
|
@PiotrSikora @lizan Could you help to review this? |
PiotrSikora
left a comment
PiotrSikora
left a comment
There was a problem hiding this comment.
You need to create new SSL_CTX and swap the old one with it. You cannot mutate SSL_CTX after SSL object was already created from it. cc @davidben FYI
You can reuse the old ContextImpl, though.
|
@PiotrSikora Thanks. In that case, it is cleaner to use shared_ptr for ssl context object. Will use a new ContextImpl for a new SSL_CTX. I have re-opened this PR: #3754 |
|
I think it is cleaner to create a new ContextImpl for each updated ContextConfig instead of using the same ContextImpl to update its internal SSL_CTX. There are many fields in ContextImpl beside ctx_, specially some callback flag. We could not just replace SSL_CTX ctx_ without replacing other fields. If we are replacing the other fields, then why not just create a new instance. |
2 participants
Signed-off-by: Wayne Zhang qiwzhang@google.com
Description:
This is one of PR to support SDS dynamic secret. Please see high level design PR:#3748
In this PR, a new function updateCertChain is added to SSL ContextImpl class to update SSL ctx for certchain. It will be used when certificate is updated from SDS, the Context object will update its internal SSL_CTX with the new certificates
Risk Level: Low
Testing: Unit-test
Docs Changes: None
Release Notes: None