Date: Fri, 4 Sep 2020 01:20:35 +0000 From: Rick Macklem <rmacklem@uoguelph.ca> To: "freebsd-current@freebsd.org" <freebsd-current@freebsd.org> Subject: rfc: should extant TLS connections be closed when a CRL is updated? Message-ID: <YTBPR01MB39668EB1E7D4B42DFC5F50A6DD2D0@YTBPR01MB3966.CANPRD01.PROD.OUTLOOK.COM>
next in thread | raw e-mail | index | archive | help
Hi,=0A= =0A= The server side NFS over TLS daemon (rpc.tlsservd) can reload an updated=0A= CRL (Certificate Revocation List) when a SIGHUP is posted to it.=0A= However, it does not SSL_shutdown()/close() extant TCP connections using TL= S.=0A= (Those would only be closed if the daemon is restarted.)=0A= =0A= I am now thinking that, maybe, an SSL_shutdown()/close() should be done on= =0A= all extant TCP connections using NFS over TLS when an updated CRL is loaded= ,=0A= since a connection might have used a revoked certificate for its handshake.= =0A= =0A= What do others think?=0A= =0A= Thanks, rick=0A=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YTBPR01MB39668EB1E7D4B42DFC5F50A6DD2D0>