Implement reference counting for TLS contexts, Resolve #3122 DoT stops working after "rndc reconfigure" when running named as non-root (!6087) · Merge requests · ISC Open Source Projects / BIND

Artem Boldariev requested to merge artem-tls-ctx-refcount into main Apr 05, 2022

This merge request implements reference counting using the built-in functionality found in OpenSSL/LibreSSL. In turn, this allows for the implementation of replacing TLS contexts within listener socket objects in a safe way during reconfiguration: so that a TLS context object will not get destroyed while in use.

Before this merge request is merged, the whole listener object must be recreated during reconfiguration in order to pick up new TLS certificates, which might be impossible in some environments: in particular, the ones which do not allow listening on privileged ports for non-root users, which is known to cause problems for TLS-based DNS transports in FreeBSD-powered environments.

Closes #3122 (closed)

Also, this merge request is, in a way, a continuation of !5634 (merged) and a "proper" fix for #3053 (closed).

Edited Apr 06, 2022 by Artem Boldariev

Implement reference counting for TLS contexts, Resolve #3122 DoT stops working after "rndc reconfigure" when running named as non-root

Merge request reports