Skip to content

Conversation

@rrb3942
Copy link
Contributor

@rrb3942 rrb3942 commented Nov 19, 2025

Summary
The current reload implementation for tls_mgm only supports reloading domains from the database. This patch set refactors reloading to support re-initializing domains configured from the script so that certificates can be refreshed at runtime and allows for better integration with tools like certbot and its post-renew hooks.

I used aider with gemini 2.5 pro to make these changes.

Details
Refactors how domains are loaded/reloaded to centralize all of the logic and make it reusable for mod_init as well. Script domain configurations are now populated into templates that are used for copying and re-initializing later with updated certificates, etc.

The domain lists and matching maps are now wholesale replaced at reload time instead of some of the incremental updating that was done before. Locking has been re-worked so that the global write lock is only held during the pointer swap for these.

If any part of the reload fails before the pointer swap, the reload is aborted and the current configuration remains active.

Cleanup of the old configuration happens outside of the global write lock.

I think this is an overall better approach to reloading compared to the old implementation.

Other fixes/changes:
Unified access to the tls_dom via SSL_get_ex_data. This makes it more consistent with how reference counting is done.

Fixed some of the reference counting in tls_sni_cb(), where it was releasing the currently used dom when failing to set the new one.

Also added some length checks before copying into a fixed sized buffer.

Solution
Now tls_reload will also reload certificates for script defined domains.

Compatibility
Should not cause any compatibility issues.

I have tested the file reloading with concurrent connection attempts without issue. I have not been able to test outbound connection attempts or reloading from the database, so it's possible some issues still exist around those. More testers would be appreciated.

Closing issues
https://lists.opensips.org/pipermail/users/2025-November/049050.html

rrb3942 and others added 7 commits November 14, 2025 15:00
Co-authored-by: aider (gemini/gemini-2.5-pro) <[email protected]>
Co-authored-by: aider (gemini/gemini-2.5-pro) <[email protected]>
Co-authored-by: aider (gemini/gemini-2.5-pro) <[email protected]>
Co-authored-by: aider (gemini/gemini-2.5-pro) <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants