always force reload cert so we get a new x509 store.

Otherwise older OpenSSL or current LibreSSL will fail to add the new CRL as they still match on subject name rather then hash of the CRL data.
2019-01-14 20:57:40 +01:00 · 2019-01-14 20:57:40 +01:00 · d6b05bcff7
parent 73cdbd1a01
commit d6b05bcff7
3 changed files with 5 additions and 20 deletions
--- a/include/kore/kore.h
+++ b/include/kore/kore.h
@ -411,9 +411,7 @@ struct kore_domain {
 #if !defined(KORE_NO_TLS)
 	char					*cafile;
 	char					*crlfile;
-	time_t					crl_mtime;
 	char					*certfile;
-	time_t					cert_mtime;
 	char					*certkey;
 	SSL_CTX					*ssl_ctx;
 	int					x509_verify_depth;
--- a/src/domain.c
+++ b/src/domain.c
@ -210,9 +210,6 @@ kore_domain_new(char *domain)
 	dom->ssl_ctx = NULL;
 	dom->certfile = NULL;
 	dom->crlfile = NULL;
-
-	dom->crl_mtime = 0;
-	dom->cert_mtime = 0;
 	dom->x509_verify_depth = 1;
 #endif
 	dom->domain = kore_strdup(domain);
--- a/src/keymgr.c
+++ b/src/keymgr.c
@ -73,7 +73,7 @@ static void	keymgr_entropy_request(struct kore_msg *, const void *);
 static void	keymgr_certificate_request(struct kore_msg *, const void *);
 static void	keymgr_submit_certificates(struct kore_domain *, u_int16_t);
 static void	keymgr_submit_file(u_int8_t, struct kore_domain *,
-		    const char *, u_int16_t, time_t *, int);
+		    const char *, u_int16_t, int);

 static void	keymgr_rsa_encrypt(struct kore_msg *, const void *,
 		    struct key *);
@ -197,18 +197,15 @@ keymgr_reload(void)
 static void
 keymgr_submit_certificates(struct kore_domain *dom, u_int16_t dst)
 {
-	keymgr_submit_file(KORE_MSG_CERTIFICATE,
-	    dom, dom->certfile, dst, &dom->cert_mtime, 0);
+	keymgr_submit_file(KORE_MSG_CERTIFICATE, dom, dom->certfile, dst, 0);

-	if (dom->crlfile != NULL) {
-		keymgr_submit_file(KORE_MSG_CRL,
-		    dom, dom->crlfile, dst, &dom->crl_mtime, 1);
-	}
+	if (dom->crlfile != NULL)
+		keymgr_submit_file(KORE_MSG_CRL, dom, dom->crlfile, dst, 1);
 }

 static void
 keymgr_submit_file(u_int8_t id, struct kore_domain *dom,
-    const char *file, u_int16_t dst, time_t *mtime, int can_fail)
+    const char *file, u_int16_t dst, int can_fail)
 {
 	int				fd;
 	struct stat			st;
@ -234,13 +231,6 @@ keymgr_submit_file(u_int8_t id, struct kore_domain *dom,
 		    (intmax_t)st.st_size);
 	}

-	if (st.st_mtime == *mtime) {
-		close(fd);
-		return;
-	}
-
-	*mtime = st.st_mtime;
-
 	len = sizeof(*msg) + st.st_size;
 	payload = kore_calloc(1, len);