diff options
author | Kevin Lin <developer@kevinlin.info> | 2019-09-21 14:25:01 -0700 |
---|---|---|
committer | dormando <dormando@rydia.net> | 2019-09-28 00:37:11 -0700 |
commit | af65dccf86862557568c9d466f2e35451a93954a (patch) | |
tree | 9feb0b085ebb852f9c1cfedd7c5d21936afd3d91 /tls.c | |
parent | 06d06ff9477780d82ef3a1851525e3bc2aa4280f (diff) | |
download | memcached-af65dccf86862557568c9d466f2e35451a93954a.tar.gz |
Reload CA cert in refresh routine
This change also reloads the CA certificate, if supplied, in addition
to the certificate and private key when the server receives a
`refresh_certs` command.
Diffstat (limited to 'tls.c')
-rw-r--r-- | tls.c | 29 |
1 files changed, 12 insertions, 17 deletions
@@ -107,11 +107,20 @@ static bool load_server_certificates(char **errmsg) { } else if (!SSL_CTX_check_private_key(settings.ssl_ctx)) { snprintf(error_msg, errmax, "Error validating the certificate\r\n"); success = false; - } else { - settings.ssl_last_cert_refresh_time = current_time; + } else if (settings.ssl_ca_cert) { + if (!SSL_CTX_load_verify_locations(settings.ssl_ctx, + settings.ssl_ca_cert, NULL)) { + snprintf(error_msg, errmax, + "Error loading the CA certificate: %s\r\n", settings.ssl_ca_cert); + success = false; + } else { + SSL_CTX_set_client_CA_list(settings.ssl_ctx, + SSL_load_client_CA_file(settings.ssl_ca_cert)); + } } SSL_UNLOCK(); if (success) { + settings.ssl_last_cert_refresh_time = current_time; free(error_msg); } else { *errmsg = error_msg; @@ -152,21 +161,7 @@ int ssl_init(void) { } exit(EX_USAGE); } - // List of acceptable CAs for client certificates. - if (settings.ssl_ca_cert) - { - SSL_CTX_set_client_CA_list(settings.ssl_ctx, - SSL_load_client_CA_file(settings.ssl_ca_cert)); - if (!SSL_CTX_load_verify_locations(settings.ssl_ctx, - settings.ssl_ca_cert, NULL)) { - if (settings.verbose) { - fprintf(stderr, "Error loading the client CA cert (%s)\n", - settings.ssl_ca_cert); - } - exit(EX_USAGE); - } - } - settings.ssl_last_cert_refresh_time = current_time; + return 0; } |