Replace listener TLS contexts on reconfiguration

This commit makes use of isc_nmsocket_set_tlsctx(). Now, instead of recreating TLS-enabled listeners (including the underlying TCP listener sockets), only the TLS context in use is replaced.
2025-08-31 14:35:26 +00:00 · 2022-03-31 13:48:14 +03:00
parent df317184eb
commit 77b2db8246
1 changed files with 63 additions and 66 deletions
--- a/lib/ns/interfacemgr.c
+++ b/lib/ns/interfacemgr.c
@@ -909,6 +909,25 @@ clearlistenon(ns_interfacemgr_t *mgr) {
 	}
 }

+static void
+replace_listener_tlsctx(ns_interfacemgr_t *mgr, ns_interface_t *ifp,
+			isc_tlsctx_t *newctx) {
+	char sabuf[ISC_SOCKADDR_FORMATSIZE];
+	REQUIRE(NS_INTERFACE_VALID(ifp));
+
+	LOCK(&mgr->lock);
+	isc_sockaddr_format(&ifp->addr, sabuf, sizeof(sabuf));
+	isc_log_write(IFMGR_COMMON_LOGARGS, ISC_LOG_INFO,
+		      "updating TLS context on %s", sabuf);
+	if (ifp->tcplistensocket != NULL) {
+		/* 'tcplistensocket' is used for DoT */
+		isc_nmsocket_set_tlsctx(ifp->tcplistensocket, newctx);
+	} else if (ifp->http_secure_listensocket != NULL) {
+		isc_nmsocket_set_tlsctx(ifp->http_secure_listensocket, newctx);
+	}
+	UNLOCK(&mgr->lock);
+}
+
 static isc_result_t
 do_scan(ns_interfacemgr_t *mgr, bool verbose, bool config) {
 	isc_interfaceiter_t *iter = NULL;
@@ -976,42 +995,30 @@ do_scan(ns_interfacemgr_t *mgr, bool verbose, bool config) {

 			ifp = find_matching_interface(mgr, &listen_addr);
 			if (ifp != NULL) {
-				/*
-				 * We need to recreate the TLS/HTTPS listeners
-				 * during reconfiguration because the
-				 * certificates could have been changed.
-				 */
-				if (config && LISTENING(ifp) &&
-				    le->sslctx != NULL) {
-					INSIST(NS_INTERFACE_VALID(ifp));
-					LOCK(&mgr->lock);
-					isc_sockaddr_format(&ifp->addr, sabuf,
+				ifp->generation = mgr->generation;
+				if (le->dscp != -1 && ifp->dscp == -1) {
+					ifp->dscp = le->dscp;
+				} else if (le->dscp != ifp->dscp) {
+					isc_sockaddr_format(&listen_addr, sabuf,
 							    sizeof(sabuf));
 					isc_log_write(IFMGR_COMMON_LOGARGS,
-						      ISC_LOG_INFO,
-						      "no longer listening on "
-						      "%s",
-						      sabuf);
-					interface_destroy(&ifp);
-					UNLOCK(&mgr->lock);
-				} else {
-					ifp->generation = mgr->generation;
-					if (le->dscp != -1 && ifp->dscp == -1) {
-						ifp->dscp = le->dscp;
-					} else if (le->dscp != ifp->dscp) {
-						isc_sockaddr_format(
-							&listen_addr, sabuf,
-							sizeof(sabuf));
-						isc_log_write(
-							IFMGR_COMMON_LOGARGS,
-							ISC_LOG_WARNING,
-							"%s: conflicting DSCP "
-							"values, using %d",
-							sabuf, ifp->dscp);
-					}
-					if (LISTENING(ifp)) {
-						continue;
+						      ISC_LOG_WARNING,
+						      "%s: conflicting DSCP "
+						      "values, using %d",
+						      sabuf, ifp->dscp);
+				}
+				if (LISTENING(ifp)) {
+					/*
+					 * We need to update the TLS contexts
+					 * inside the TLS/HTTPS listeners during
+					 * a reconfiguration because the
+					 * certificates could have been changed.
+					 */
+					if (config && le->sslctx != NULL) {
+						replace_listener_tlsctx(
+							mgr, ifp, le->sslctx);
 					}
+					continue;
 				}
 			}

@@ -1152,42 +1159,32 @@ do_scan(ns_interfacemgr_t *mgr, bool verbose, bool config) {

 			ifp = find_matching_interface(mgr, &listen_sockaddr);
 			if (ifp != NULL) {
-				/*
-				 * We need to recreate the TLS/HTTPS listeners
-				 * during a reconfiguration because the
-				 * certificates could have been changed.
-				 */
-				if (config && LISTENING(ifp) &&
-				    le->sslctx != NULL) {
-					INSIST(NS_INTERFACE_VALID(ifp));
-					LOCK(&mgr->lock);
-					isc_sockaddr_format(&ifp->addr, sabuf,
+				ifp->generation = mgr->generation;
+				if (le->dscp != -1 && ifp->dscp == -1) {
+					ifp->dscp = le->dscp;
+				} else if (le->dscp != ifp->dscp) {
+					isc_sockaddr_format(&listen_sockaddr,
+							    sabuf,
 							    sizeof(sabuf));
 					isc_log_write(IFMGR_COMMON_LOGARGS,
-						      ISC_LOG_INFO,
-						      "no longer listening on "
-						      "%s",
-						      sabuf);
-					interface_destroy(&ifp);
-					UNLOCK(&mgr->lock);
-				} else {
-					ifp->generation = mgr->generation;
-					if (le->dscp != -1 && ifp->dscp == -1) {
-						ifp->dscp = le->dscp;
-					} else if (le->dscp != ifp->dscp) {
-						isc_sockaddr_format(
-							&listen_sockaddr, sabuf,
-							sizeof(sabuf));
-						isc_log_write(
-							IFMGR_COMMON_LOGARGS,
-							ISC_LOG_WARNING,
-							"%s: conflicting DSCP "
-							"values, using %d",
-							sabuf, ifp->dscp);
-					}
-					if (LISTENING(ifp)) {
-						continue;
+						      ISC_LOG_WARNING,
+						      "%s: conflicting DSCP "
+						      "values, using %d",
+						      sabuf, ifp->dscp);
+				}
+				if (LISTENING(ifp)) {
+					/*
+					 * We need to update the TLS contexts
+					 * inside the TLS/HTTPS listeners during
+					 * a reconfiguration because the
+					 * certificates could have been changed.
+					 */
+					if (config && le->sslctx != NULL) {
+						replace_listener_tlsctx(
+							mgr, ifp, le->sslctx);
 					}
+
+					continue;
 				}
 			}