diff --git a/ChangeLog b/ChangeLog index 0ae86bc..9339215 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,7 @@ Changes between 1.6.8 and the master branch Enhancements: - Support the use of OpenSSL version 1.1 series (RADSECPROXY-66). + - Reload TLS certificate CRLs on SIGHUP Misc: - libnettle is now an unconditional dependency. diff --git a/radsecproxy.c b/radsecproxy.c index a90fb94..98b065e 100644 --- a/radsecproxy.c +++ b/radsecproxy.c @@ -3257,6 +3257,9 @@ void *sighandler(void *arg) { case SIGHUP: debug(DBG_INFO, "sighandler: got SIGHUP"); debug_reopen_log(); +#if defined(RADPROT_TLS) || defined(RADPROT_DTLS) + tlsreloadcrls(); +#endif break; case SIGPIPE: debug(DBG_WARN, "sighandler: got SIGPIPE, TLS write error?"); diff --git a/tlscommon.c b/tlscommon.c index 842b955..8ca67f0 100644 --- a/tlscommon.c +++ b/tlscommon.c @@ -335,6 +335,32 @@ SSL_CTX *tlsgetctx(uint8_t type, struct tls *t) { return NULL; } +void tlsreloadcrls() { + struct tls *conf; + struct hash_entry *entry; + struct timeval now; + + gettimeofday(&now, NULL); + + for (entry = hash_first(tlsconfs); entry; entry = hash_next(entry)) { + conf = (struct tls *)entry->data; +#ifdef RADPROT_TLS + if (conf->tlsctx) { + if (conf->tlsexpiry) + conf->tlsexpiry = now.tv_sec + conf->cacheexpiry; + tlsaddcacrl(conf->tlsctx, conf); + } +#endif +#ifdef RADPROT_DTLS + if (conf->dtlsctx) { + if (conf->dtlsexpiry) + conf->dtlsexpiry = now.tv_sec + conf->cacheexpiry; + tlsaddcacrl(conf->dtlsctx, conf); + } +#endif + } +} + X509 *verifytlscert(SSL *ssl) { X509 *cert; unsigned long error; diff --git a/tlscommon.h b/tlscommon.h index 5f8f149..2b98a9c 100644 --- a/tlscommon.h +++ b/tlscommon.h @@ -33,6 +33,7 @@ X509 *verifytlscert(SSL *ssl); int verifyconfcert(X509 *cert, struct clsrvconf *conf); int conftls_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *val); int addmatchcertattr(struct clsrvconf *conf); +void tlsreloadcrls(); #endif /* Local Variables: */