rfc: should extant TLS connections be closed when a CRL is updated?
Rick Macklem
rmacklem at uoguelph.ca
Fri Sep 4 01:20:44 UTC 2020
Hi,
The server side NFS over TLS daemon (rpc.tlsservd) can reload an updated
CRL (Certificate Revocation List) when a SIGHUP is posted to it.
However, it does not SSL_shutdown()/close() extant TCP connections using TLS.
(Those would only be closed if the daemon is restarted.)
I am now thinking that, maybe, an SSL_shutdown()/close() should be done on
all extant TCP connections using NFS over TLS when an updated CRL is loaded,
since a connection might have used a revoked certificate for its handshake.
What do others think?
Thanks, rick
More information about the freebsd-current
mailing list