AT
Apache TinkerPop4d ago
cdegroc

Hot reloading of SSL certificates in gremlin-server

👋🏻 Hey. I'm trying to understand how SSL/TLS certificates are handled in TinkerPop. Based on this code (https://github.com/apache/tinkerpop/blob/4188f6d62d1ddaae246da23d6610c9d55ca03e54/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin/driver/Cluster.java#L423-L425), keystore files (certificates) are loaded once, on Channel initialization. This would mean that a Channel keeps using the same certificate for its lifespan and, assuming they are long-lived, I imagine this could be an issue if users want to refresh their certificates often. Would there be a way to reload those certicates (e.g. periodically, on file change)? If not, would you have a suggested approach that would make sense to contribute? As an example, grpc-java, which is also based on Netty, offers this solution: https://github.com/grpc/grpc-java/pull/8175/ Thanks!
GitHub
advancedtls: adding AdvancedTlsX509TrustManager and AdvancedTlsX509...
This pull request adds the following classes to io.grpc.util: an AdvancedTlsX509TrustManager that supports reloading root certificates from the file system or memory disabling host name verificat...
GitHub
tinkerpop/gremlin-driver/src/main/java/org/apache/tinkerpop/gremlin...
Apache TinkerPop - a graph computing framework. Contribute to apache/tinkerpop development by creating an account on GitHub.
3 Replies
spmallette
spmallette2d ago
i dont think there's any way to currently do the reloads, so something would have to be built. @Kennh any thoughts on this one?
Kennh
Kennh22h ago
I've been thinking about this for a little bit since I read it, but I don't have any current recommendations on how to move forward with this. I'll have to think about it some more as I can see this evolving into a more general way of reloading server settings where lots of different server settings could get updated on the fly.
Andrea
Andrea20h ago
It might be worth taking a look at this solution someone created which uses scheduled file based change detection https://github.com/Hakky54/java-tutorials/blob/main/instant-server-ssl-reloading-with-netty/netty-server/README.md
GitHub
java-tutorials/instant-server-ssl-reloading-with-netty/netty-server...
📝 A repository containing different java tutorials - Hakky54/java-tutorials

Did you find this page helpful?