Skip to content

Implement SSL bundle reload #37808

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 4 commits into from
Closed

Implement SSL bundle reload #37808

wants to merge 4 commits into from

Conversation

@mhalbritter
Copy link
Contributor

@mhalbritter mhalbritter commented Oct 10, 2023
edited
Loading

Implements reloading of SSL bundles. Netty and Tomcat react to SSL bundle reload and hot-reload their SSL certificates (existing connections use the old key material, new connections use the new material).

Implemented a FileWatcher based on java.nio to watch for file changes.

Adds new properties to JKS and PEM bundles to control reload. If reload is enabled, the keystore / key files / certificate files are automatically watched and reload the SSL bundle if they change (which in turn will trigger reload of SSL in tomcat / netty).

I had to refactor the PemContent class a bit, because we now need to know at 2 places if the PEM SSL bundle configuration points is a URL or PEM content.

@mhalbritter mhalbritter added type: enhancement A general enhancement status: waiting-for-triage An issue we've not yet triaged labels Oct 10, 2023
@mhalbritter mhalbritter added this to the 3.2.x milestone Oct 10, 2023
mhalbritter
mhalbritter commented Oct 10, 2023
View reviewed changes
gradle.properties
nativeBuildToolsVersion=0.9.27
springFrameworkVersion=6.1.0-SNAPSHOT
tomcatVersion=10.1.13
tomcatVersion=10.1.14
Copy link
Contributor Author

@mhalbritter mhalbritter Oct 10, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This breaks some tests, which I haven't fixed in this PR. I had to upgrade the Tomcat version to be able to call protocol.addSslHostConfig(sslHostConfig, true);

@philwebb philwebb mentioned this pull request Oct 10, 2023
Closed
@mhalbritter mhalbritter force-pushed the mh/37131-investigate-hot-reloading-of-tls-certificates-for-embedded-web-servers branch from c9e4595 to 438781e Compare October 12, 2023 11:22
@mhalbritter
Copy link
Contributor Author

mhalbritter commented Oct 12, 2023

@philwebb did a pass over the code, I force pushed this PR with his changes. Besides the Tomcat upgrade which breaks some tests this is ready to merge.

@mhalbritter mhalbritter added status: blocked An issue that's blocked on an external project change and removed status: waiting-for-triage An issue we've not yet triaged labels Oct 12, 2023
@wilkinsona wilkinsona removed the status: blocked An issue that's blocked on an external project change label Oct 16, 2023
@wilkinsona wilkinsona modified the milestones: 3.2.x, 3.2.0-RC1 Oct 16, 2023
wilkinsona added a commit that referenced this pull request Oct 18, 2023
@wilkinsona
Fix tests on Windows
851e6de 
See gh-37808
@mhalbritter mhalbritter mentioned this pull request Oct 19, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

type: enhancement A general enhancement

Projects

None yet

Milestone

3.2.0-RC1

Development

Successfully merging this pull request may close these issues.

2 participants

@mhalbritter @wilkinsona