// Set the private key and certificate chain for the global SSL Context.
// This is called during initialization, and can be called again later if the certificate changes.
void bind_to_key_and_certificate(void) {
+ SSL_CTX *old_ctx, *new_ctx;
+
+ if (!(new_ctx = SSL_CTX_new(SSLv23_server_method()))) {
+ syslog(LOG_WARNING, "SSL_CTX_new failed: %s", ERR_reason_error_string(ERR_get_error()));
+ return;
+ }
+
+ syslog(LOG_INFO, "Requesting cipher list: %s", ssl_cipher_list);
+ if (!(SSL_CTX_set_cipher_list(new_ctx, ssl_cipher_list))) {
+ syslog(LOG_WARNING, "SSL_CTX_set_cipher_list failed: %s", ERR_reason_error_string(ERR_get_error()));
+ return;
+ }
+
if (IsEmptyStr(key_file)) {
snprintf(key_file, sizeof key_file, "%s/keys/citadel.key", ctdl_dir);
}
syslog(LOG_DEBUG, "crypto: [re]installing key \"%s\" and certificate \"%s\"", key_file, cert_file);
- SSL_CTX_use_certificate_chain_file(ssl_ctx, cert_file);
- SSL_CTX_use_PrivateKey_file(ssl_ctx, key_file, SSL_FILETYPE_PEM);
+ SSL_CTX_use_certificate_chain_file(new_ctx, cert_file);
+ SSL_CTX_use_PrivateKey_file(new_ctx, key_file, SSL_FILETYPE_PEM);
- if ( !SSL_CTX_check_private_key(ssl_ctx) ) {
+ if ( !SSL_CTX_check_private_key(new_ctx) ) {
syslog(LOG_WARNING, "crypto: cannot install certificate: %s", ERR_reason_error_string(ERR_get_error()));
}
+
+ old_ctx = ssl_ctx;
+ ssl_ctx = new_ctx;
+ sleep(1);
+ SSL_CTX_free(old_ctx);
}
// Initialize SSL transport layer
SSL_library_init();
SSL_load_error_strings();
- if (!(ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) {
- syslog(LOG_WARNING, "SSL_CTX_new failed: %s", ERR_reason_error_string(ERR_get_error()));
- return;
- }
-
- syslog(LOG_INFO, "Requesting cipher list: %s", ssl_cipher_list);
- if (!(SSL_CTX_set_cipher_list(ssl_ctx, ssl_cipher_list))) {
- syslog(LOG_WARNING, "SSL_CTX_set_cipher_list failed: %s", ERR_reason_error_string(ERR_get_error()));
- return;
- }
// Now try to bind to the key and certificate.
bind_to_key_and_certificate();