Reload TLS certificate CRLs on SIGHUP

4 files changed, 22 insertions, 0 deletions

diff --git a/ChangeLog b/ChangeLog
index d4be0e1..c23f2cb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -6,6 +6,7 @@ Changes between 1.6.8 and the master branch
 
 	Enhancements:
 	- Support the use of OpenSSL version 1.1 series (RADSECPROXY-66).
+	- Reload TLS certificate CRLs on SIGHUP
 
 	Misc:
 	- libnettle is now an unconditional dependency.
diff --git a/radsecproxy.c b/radsecproxy.c
index fe76f7c..f88d18c 100644
--- a/radsecproxy.c
+++ b/radsecproxy.c
@@ -3250,6 +3250,9 @@ void *sighandler(void *arg) {
         case SIGHUP:
             debug(DBG_INFO, "sighandler: got SIGHUP");
 	    debug_reopen_log();
+#if defined(RADPROT_TLS) || defined(RADPROT_DTLS)
+	    tlsreloadcrls();
+#endif
             break;
         case SIGPIPE:
             debug(DBG_WARN, "sighandler: got SIGPIPE, TLS write error?");
diff --git a/tlscommon.c b/tlscommon.c
index 842b955..d2453be 100644
--- a/tlscommon.c
+++ b/tlscommon.c
@@ -335,6 +335,23 @@ SSL_CTX *tlsgetctx(uint8_t type, struct tls *t) {
     return NULL;
 }
 
+void tlsreloadcrls() {
+    struct tls *conf;
+    struct hash_entry *entry;
+
+    for(entry = hash_first(tlsconfs); entry; entry = hash_next(entry)) {
+	conf = (struct tls *)entry->data;
+#ifdef RADPROT_TLS
+	if(conf->tlsctx)
+	    tlsaddcacrl(conf->tlsctx, conf);
+#endif
+#ifdef RADPROT_DTLS
+	if(conf->dtlsctx)
+	    tlsaddcacrl(conf->dtlsctx, conf);
+#endif
+    }
+}
+
 X509 *verifytlscert(SSL *ssl) {
     X509 *cert;
     unsigned long error;
diff --git a/tlscommon.h b/tlscommon.h
index 5f8f149..2b98a9c 100644
--- a/tlscommon.h
+++ b/tlscommon.h
@@ -33,6 +33,7 @@ X509 *verifytlscert(SSL *ssl);
 int verifyconfcert(X509 *cert, struct clsrvconf *conf);
 int conftls_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *val);
 int addmatchcertattr(struct clsrvconf *conf);
+void tlsreloadcrls();
 #endif
 
 /* Local Variables: */