Feature(tls_mgm): Allow reloading certificates for script defined domains #3760
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Co-authored-by: aider (gemini/gemini-2.5-pro) <[email protected]>
Co-authored-by: aider (gemini/gemini-2.5-pro) <[email protected]>
Co-authored-by: aider (gemini/gemini-2.5-pro) <[email protected]>
Co-authored-by: aider (gemini/gemini-2.5-pro) <[email protected]>
Co-authored-by: aider (gemini/gemini-2.5-pro) <[email protected]>
Co-authored-by: aider (gemini/gemini-2.5-pro) <[email protected]>
Co-authored-by: aider (gemini/gemini-2.5-pro) <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
The current reload implementation for tls_mgm only supports reloading domains from the database. This patch set refactors reloading to support re-initializing domains configured from the script so that certificates can be refreshed at runtime and allows for better integration with tools like certbot and its post-renew hooks.
I used aider with gemini 2.5 pro to make these changes.
Details
Refactors how domains are loaded/reloaded to centralize all of the logic and make it reusable for mod_init as well. Script domain configurations are now populated into templates that are used for copying and re-initializing later with updated certificates, etc.
The domain lists and matching maps are now wholesale replaced at reload time instead of some of the incremental updating that was done before. Locking has been re-worked so that the global write lock is only held during the pointer swap for these.
If any part of the reload fails before the pointer swap, the reload is aborted and the current configuration remains active.
Cleanup of the old configuration happens outside of the global write lock.
I think this is an overall better approach to reloading compared to the old implementation.
Other fixes/changes:
Unified access to the tls_dom via SSL_get_ex_data. This makes it more consistent with how reference counting is done.
Fixed some of the reference counting in tls_sni_cb(), where it was releasing the currently used dom when failing to set the new one.
Also added some length checks before copying into a fixed sized buffer.
Solution
Now tls_reload will also reload certificates for script defined domains.
Compatibility
Should not cause any compatibility issues.
I have tested the file reloading with concurrent connection attempts without issue. I have not been able to test outbound connection attempts or reloading from the database, so it's possible some issues still exist around those. More testers would be appreciated.
Closing issues
https://lists.opensips.org/pipermail/users/2025-November/049050.html