Skip to content

Reload client certificates #59

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

Conversation

behos
Copy link
Contributor

@behos behos commented Jun 30, 2025

This allows creating a client with certificate paths instead of a
preloaded certificate. When created this way, on reconnection the client
will check if the certificate files have been changed on disk and reload
them if they have.

This allows us to have auto-reloading of refreshed certificates client
side.

@behos behos force-pushed the giorgos.georgiou/reload-client-certs branch 4 times, most recently from 5ee3675 to 2e17c10 Compare June 30, 2025 11:05
This allows creating a client with certificate paths instead of a
preloaded certificate. When created this way, on reconnection the client
will check if the certificate files have been changed on disk and reload
them if they have.

This allows us to have auto-reloading of refreshed certificates client
side.
@behos behos force-pushed the giorgos.georgiou/reload-client-certs branch from 2e17c10 to 4bcf3dc Compare June 30, 2025 11:06
@behos behos marked this pull request as ready for review June 30, 2025 11:07
Copy link

codecov bot commented Jun 30, 2025

Codecov Report

Attention: Patch coverage is 64.94024% with 88 lines in your changes missing coverage. Please review.

Project coverage is 84.23%. Comparing base (96ee554) to head (4bcf3dc).
Report is 35 commits behind head on master.

Files with missing lines Patch % Lines
examples/tls_file_based.rs 0.00% 70 Missing ⚠️
src/tls.rs 89.37% 17 Missing ⚠️
src/session/connection.rs 95.00% 1 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##           master      #59      +/-   ##
==========================================
- Coverage   85.17%   84.23%   -0.95%     
==========================================
  Files          34       38       +4     
  Lines        4831     5582     +751     
==========================================
+ Hits         4115     4702     +587     
- Misses        716      880     +164     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@behos
Copy link
Contributor Author

behos commented Jun 30, 2025

The coverage tool is also counting the example file which cannot be covered. I could remove the example but it really helped me verifying the change.

let key_changed = key_modified > self.key_modified;
// Refresh if both files were modified, as we want to make sure that we don't pick up a new cert/key with
// an old key/cert.
if cert_changed && key_changed {
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it is a good enhancement. But instead of FileBased, I would it to be more generic. I guess TlsOptions::with_pem_reloader(self, reloader: impl Fn() -> Option<...>) -> Self` should work. Let me take a deep look.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah that could work if we can easily inject some pre-defined reloaders, to include a file based one too. Let me know if I can help with this.

kezhuw pushed a commit that referenced this pull request Jul 7, 2025
This allows us to have auto-reloading of refreshed certificates in client
side.

Resolves #59.
kezhuw pushed a commit that referenced this pull request Jul 7, 2025
This allows creating a client with dynamic tls certificates. When
created this way, on reconnection the client will use latest tls
certificates.

This allows us to have auto-reloading of refreshed certificates in
client side.

Resolves #59.
kezhuw pushed a commit that referenced this pull request Jul 7, 2025
This allows creating a client with dynamic tls certificates. When
created this way, on reconnection the client will use latest tls
certificates.

This allows us to have auto-reloading of refreshed certificates stored
anywhere in client side.

Resolves #59.
kezhuw pushed a commit that referenced this pull request Jul 7, 2025
This allows creating a client with dynamic tls certificates. When
created this way, on reconnection the client will use latest tls
certificates.

This allows us to have auto-reloading of refreshed certificates stored
anywhere in client side.

Resolves #59.
@behos behos closed this Jul 8, 2025
@behos
Copy link
Contributor Author

behos commented Jul 8, 2025

Closed in favor of #66

kezhuw pushed a commit that referenced this pull request Jul 10, 2025
This allows creating a client with dynamic tls certificates. When
created this way, on reconnection the client will use latest tls
certificates.

This allows us to have auto-reloading of refreshed certificates stored
anywhere in client side.

Resolves #59.
kezhuw pushed a commit that referenced this pull request Jul 10, 2025
This allows creating a client with dynamic tls certificates. When
created this way, on reconnection the client will use latest tls
certificates.

This allows us to have auto-reloading of refreshed certificates stored
anywhere in client side.

Resolves #59.
kezhuw pushed a commit that referenced this pull request Jul 11, 2025
This allows creating a client with dynamic tls certificates. When
created this way, on reconnection the client will use latest tls
certificates.

This allows us to have auto-reloading of refreshed certificates stored
anywhere in client side.

Resolves #59.
kezhuw pushed a commit that referenced this pull request Jul 12, 2025
This allows creating a client with dynamic tls certificates. When
created this way, on reconnection the client will use latest tls
certificates.

This allows us to have auto-reloading of refreshed certificates stored
anywhere in client side.

Resolves #59.
kezhuw pushed a commit that referenced this pull request Jul 12, 2025
This allows creating a client with dynamic tls certificates. When
created this way, on reconnection the client will use latest tls
certificates.

This allows us to have auto-reloading of refreshed certificates stored
anywhere in client side.

Resolves #59.
kezhuw pushed a commit that referenced this pull request Jul 13, 2025
This allows creating a client with dynamic tls certificates. When
created this way, on reconnection the client will use latest tls
certificates.

This allows us to have auto-reloading of refreshed certificates stored
anywhere in client side.

Resolves #59.
kezhuw pushed a commit that referenced this pull request Jul 13, 2025
This allows creating a client with dynamic tls certificates. When
created this way, on reconnection the client will use latest tls
certificates.

This allows us to have auto-reloading of refreshed certificates stored
anywhere in client side.

Resolves #59.
kezhuw pushed a commit that referenced this pull request Jul 13, 2025
This allows creating a client with dynamic tls certificates. When
created this way, on reconnection the client will use latest tls
certificates.

This allows us to reload refreshed certificates stored somewhere in
client side.

This commit also adds support for crls in cert verifier, so it will
reject revoked server certs.

Resolves #59.
kezhuw pushed a commit that referenced this pull request Jul 13, 2025
This allows creating a client with dynamic tls certificates. When
created this way, on reconnection the client will use latest tls
certificates.

This allows us to reload refreshed certificates stored somewhere in
client side.

This commit also adds support for crls in cert verifier to reject
revoked server certs.

Resolves #59.
kezhuw added a commit that referenced this pull request Jul 13, 2025
This allows creating a client with dynamic tls certificates. When
created this way, on reconnection the client will use latest tls
certificates.

This allows us to reload refreshed certificates stored somewhere in
client side.

This commit also adds support for crls in cert verifier to reject
revoked server certs.

Resolves #59.

Co-authored-by: Giorgos Georgiou <giorgos.georgiou@datadoghq.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants