Hot reloading of SSL certificates in gremlin-server
👋🏻 Hey. I'm trying to understand how SSL/TLS certificates are handled in TinkerPop.
Based on this code (https://github.com/apache/tinkerpop/blob/9627b78bcf38a0faf6a94dcd8ae3b80390d837f7/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin/server/AbstractChannelizer.java#L324-L354), keystore files (certificates) are loaded once, on Channel initialization.
This would mean that a Channel keeps using the same certificate for its lifespan and, assuming they are long-lived, I imagine this could be an issue if users want to refresh their certificates often.
Would there be a way to reload those certicates (e.g. periodically, on file change)?
If not, would you have a suggested approach that would make sense to contribute?
As an example, grpc-java, which is also based on Netty, offers this solution: https://github.com/grpc/grpc-java/pull/8175/
Thanks!
GitHub
advancedtls: adding AdvancedTlsX509TrustManager and AdvancedTlsX509...
This pull request adds the following classes to io.grpc.util:
an AdvancedTlsX509TrustManager that supports
reloading root certificates from the file system or memory
disabling host name verificat...
GitHub
tinkerpop/gremlin-server/src/main/java/org/apache/tinkerpop/gremlin...
Apache TinkerPop - a graph computing framework. Contribute to apache/tinkerpop development by creating an account on GitHub.
5 Replies
i dont think there's any way to currently do the reloads, so something would have to be built. @Kennh any thoughts on this one?
I've been thinking about this for a little bit since I read it, but I don't have any current recommendations on how to move forward with this. I'll have to think about it some more as I can see this evolving into a more general way of reloading server settings where lots of different server settings could get updated on the fly.
It might be worth taking a look at this solution someone created which uses scheduled file based change detection https://github.com/Hakky54/java-tutorials/blob/main/instant-server-ssl-reloading-with-netty/netty-server/README.md
GitHub
java-tutorials/instant-server-ssl-reloading-with-netty/netty-server...
📝 A repository containing different java tutorials - Hakky54/java-tutorials
Thanks! That lib relies on https://github.com/Hakky54/sslcontext-kickstart which has an Apache License. It'd make the implementation simpler, but I'm not sure how reliable that dependency is / what guarantees we have it'll be maintained.
If we don't want to use the library itself the author's solution could be used as inspiration for TinkerPop specific solution