| Re: [mosquitto-dev] Client certificate expiration handling |
<user100@xxxxxxxxx> writes: > I'd like to ask how the certificates and its expiration is handled in > mosquitto. > > Does the mosquitto watch changes on certificate files defined in mosquitto. > config? > > How are the cert files handled by mosquitto? Are they loaded to the memory > at the start of mosquitto and the physical files are not considered any > longer (until the mosquitto is restarted)? That is my impression. I find that when a cert is renewed, mosquitto must be restarted. > What will happened to running client on 15/1/2000? Does he stop getting data > (since he is using expired certs)? It would arguably correct for the *client* to close the connection to the server at the expiration of the cert used to authenticate it, but I haven't seen this happen. My experience is that mosquitto continues using the old cert, even if the new one has been in the filesystem for weeks. Connections that are open stay open, and new connections fail. Then I restart mosquitto and all is ok. > Do I need to restart mosquitto, so the new certificates are considered? Please do the experiment and report your results. It would be nice if mosquitto checked the cert file often enough for this to work and re-read it. postfix seems to do this. Many other programs do not. Options could include: stat certfile on every TLS negotiation stat certfile hourly something more complicated, like stat on TLS negotiation unless it was checked within the last hour, but stat is pretty cheap
Attachment:
signature.asc
Description: PGP signature