mirror of https://git.kore.io/kore.git
always force reload cert so we get a new x509 store.
Otherwise older OpenSSL or current LibreSSL will fail to add the new CRL as they still match on subject name rather then hash of the CRL data.
This commit is contained in:
parent
73cdbd1a01
commit
d6b05bcff7
|
@ -411,9 +411,7 @@ struct kore_domain {
|
||||||
#if !defined(KORE_NO_TLS)
|
#if !defined(KORE_NO_TLS)
|
||||||
char *cafile;
|
char *cafile;
|
||||||
char *crlfile;
|
char *crlfile;
|
||||||
time_t crl_mtime;
|
|
||||||
char *certfile;
|
char *certfile;
|
||||||
time_t cert_mtime;
|
|
||||||
char *certkey;
|
char *certkey;
|
||||||
SSL_CTX *ssl_ctx;
|
SSL_CTX *ssl_ctx;
|
||||||
int x509_verify_depth;
|
int x509_verify_depth;
|
||||||
|
|
|
@ -210,9 +210,6 @@ kore_domain_new(char *domain)
|
||||||
dom->ssl_ctx = NULL;
|
dom->ssl_ctx = NULL;
|
||||||
dom->certfile = NULL;
|
dom->certfile = NULL;
|
||||||
dom->crlfile = NULL;
|
dom->crlfile = NULL;
|
||||||
|
|
||||||
dom->crl_mtime = 0;
|
|
||||||
dom->cert_mtime = 0;
|
|
||||||
dom->x509_verify_depth = 1;
|
dom->x509_verify_depth = 1;
|
||||||
#endif
|
#endif
|
||||||
dom->domain = kore_strdup(domain);
|
dom->domain = kore_strdup(domain);
|
||||||
|
|
20
src/keymgr.c
20
src/keymgr.c
|
@ -73,7 +73,7 @@ static void keymgr_entropy_request(struct kore_msg *, const void *);
|
||||||
static void keymgr_certificate_request(struct kore_msg *, const void *);
|
static void keymgr_certificate_request(struct kore_msg *, const void *);
|
||||||
static void keymgr_submit_certificates(struct kore_domain *, u_int16_t);
|
static void keymgr_submit_certificates(struct kore_domain *, u_int16_t);
|
||||||
static void keymgr_submit_file(u_int8_t, struct kore_domain *,
|
static void keymgr_submit_file(u_int8_t, struct kore_domain *,
|
||||||
const char *, u_int16_t, time_t *, int);
|
const char *, u_int16_t, int);
|
||||||
|
|
||||||
static void keymgr_rsa_encrypt(struct kore_msg *, const void *,
|
static void keymgr_rsa_encrypt(struct kore_msg *, const void *,
|
||||||
struct key *);
|
struct key *);
|
||||||
|
@ -197,18 +197,15 @@ keymgr_reload(void)
|
||||||
static void
|
static void
|
||||||
keymgr_submit_certificates(struct kore_domain *dom, u_int16_t dst)
|
keymgr_submit_certificates(struct kore_domain *dom, u_int16_t dst)
|
||||||
{
|
{
|
||||||
keymgr_submit_file(KORE_MSG_CERTIFICATE,
|
keymgr_submit_file(KORE_MSG_CERTIFICATE, dom, dom->certfile, dst, 0);
|
||||||
dom, dom->certfile, dst, &dom->cert_mtime, 0);
|
|
||||||
|
|
||||||
if (dom->crlfile != NULL) {
|
if (dom->crlfile != NULL)
|
||||||
keymgr_submit_file(KORE_MSG_CRL,
|
keymgr_submit_file(KORE_MSG_CRL, dom, dom->crlfile, dst, 1);
|
||||||
dom, dom->crlfile, dst, &dom->crl_mtime, 1);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static void
|
static void
|
||||||
keymgr_submit_file(u_int8_t id, struct kore_domain *dom,
|
keymgr_submit_file(u_int8_t id, struct kore_domain *dom,
|
||||||
const char *file, u_int16_t dst, time_t *mtime, int can_fail)
|
const char *file, u_int16_t dst, int can_fail)
|
||||||
{
|
{
|
||||||
int fd;
|
int fd;
|
||||||
struct stat st;
|
struct stat st;
|
||||||
|
@ -234,13 +231,6 @@ keymgr_submit_file(u_int8_t id, struct kore_domain *dom,
|
||||||
(intmax_t)st.st_size);
|
(intmax_t)st.st_size);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (st.st_mtime == *mtime) {
|
|
||||||
close(fd);
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
*mtime = st.st_mtime;
|
|
||||||
|
|
||||||
len = sizeof(*msg) + st.st_size;
|
len = sizeof(*msg) + st.st_size;
|
||||||
payload = kore_calloc(1, len);
|
payload = kore_calloc(1, len);
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue