Implement reference counting for TLS contexts, Resolve #3122 DoT stops working after "rndc reconfigure" when running named as non-root (backport to v9.18) (!6204) · Merge requests · ISC Open Source Projects / BIND

Artem Boldariev requested to merge artem-tls-ctx-refcount-backport-v9_18 into v9_18 Apr 27, 2022

This merge request implements reference counting using the built-in functionality found in OpenSSL/LibreSSL. In turn, this allows for the implementation of replacing TLS contexts within listener socket objects in a safe way during reconfiguration: so that a TLS context object will not get destroyed while in use.

Before this merge request is merged, the whole listener object must be recreated during reconfiguration in order to pick up new TLS certificates, which might be impossible in some environments: in particular, the ones which do not allow listening on privileged ports for non-root users, which is known to cause problems for TLS-based DNS transports in FreeBSD-powered environments.

Closes #3122 (closed)

Backport of !6087 (merged)

Edited Apr 27, 2022 by Artem Boldariev

Implement reference counting for TLS contexts, Resolve #3122 DoT stops working after "rndc reconfigure" when running named as non-root (backport to v9.18)

Merge request reports