Unverified Commit 11eb6687 authored by David Arnold's avatar David Arnold
Browse files

ITS#9326 - Renew TLS contexts on SIGUSR2

For porcess manager that want to signal cert roll-over
parent f876eac3
Pipeline #741 passed with stage
in 28 minutes and 3 seconds
......@@ -3488,6 +3488,44 @@ slap_sig_wake( int sig )
errno = save_errno;
}
#ifdef HAVE_TLS
RETSIGTYPE
slap_sig_renew_tls_ctx( int sig )
{
int save_errno = errno;
int rc;
int opt0 = 0;
rc = ldap_pvt_tls_set_option( slap_tls_ld, LDAP_OPT_X_TLS_NEWCTX, &opt0 );
if( rc == 0 ) {
/* The ctx's refcount is bumped up here */
ldap_pvt_tls_get_option( slap_tls_ld, LDAP_OPT_X_TLS_CTX, &slap_tls_ctx );
load_extop( &slap_EXOP_START_TLS, 0, starttls_extop );
} else if ( rc != LDAP_NOT_SUPPORTED ) {
Debug( LDAP_DEBUG_ANY,
"daemon: TLS renew def ctx failed: %d\n",
rc );
}
int opt1 = 1;
rc = ldap_pvt_tls_set_option( slap_tls_ld, LDAP_OPT_X_TLS_NEWCTX, &opt1 );
if( rc == 0 ) {
/* The ctx's refcount is bumped up here */
ldap_pvt_tls_get_option( slap_tls_ld, LDAP_OPT_X_TLS_CTX, &slap_tls_ctx );
load_extop( &slap_EXOP_START_TLS, 0, starttls_extop );
} else if ( rc != LDAP_NOT_SUPPORTED ) {
Debug( LDAP_DEBUG_ANY,
"daemon: TLS renew server ctx failed: %d\n",
rc );
}
/* reinstall self */
(void) SIGNAL_REINSTALL( sig, slap_sig_renew_tls_ctx );
errno = save_errno;
}
#endif
int
slap_pause_server( void )
{
......
......@@ -893,7 +893,11 @@ unhandled_option:;
#endif
(void) SIGNAL( LDAP_SIGUSR1, slap_sig_wake );
#ifdef HAVE_TLS
(void) SIGNAL( LDAP_SIGUSR2, slap_sig_renew_tls_ctx );
#else
(void) SIGNAL( LDAP_SIGUSR2, slap_sig_shutdown );
#endif
#ifdef SIGPIPE
(void) SIGNAL( SIGPIPE, SIG_IGN );
......
......@@ -886,6 +886,9 @@ LDAP_SLAPD_F (void) slapd_remove LDAP_P((ber_socket_t s, Sockbuf *sb,
LDAP_SLAPD_F (RETSIGTYPE) slap_sig_shutdown LDAP_P((int sig));
LDAP_SLAPD_F (RETSIGTYPE) slap_sig_wake LDAP_P((int sig));
#ifdef HAVE_TLS
LDAP_SLAPD_F (RETSIGTYPE) slap_sig_renew_tls_ctx LDAP_P((int sig));
#endif
LDAP_SLAPD_F (void) slap_wake_listener LDAP_P((void));
LDAP_SLAPD_F (void) slap_suspend_listeners LDAP_P((void));
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment