Skip to content

ACME: define and allocate shared data structures. #12

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jul 30, 2025
Merged

ACME: define and allocate shared data structures. #12

merged 4 commits into from
Jul 30, 2025

Conversation

bavshin-f5
Copy link
Member

@bavshin-f5 bavshin-f5 commented Jul 25, 2025
edited
Loading

+ one quick fixup for #1

@bavshin-f5
ACME: forbid specifying files in "acme_certificate key=...".
ad7310d 
The ACME protocol assumes short-term certificates to ensure a regular
revalidation of ownership and to limit consequences of key compromise.
Allowing to request certificate renewals with the same key goes agains
the second goal and should not be supported without a good reason.

This was an oversight inherited from the proof-of-concept code and was
not supposed to be committed here.
@bavshin-f5 bavshin-f5 requested review from xeioex, avahahn and ensh63 July 25, 2025 20:37
xeioex
xeioex approved these changes Jul 29, 2025
View reviewed changes
Copy link

@xeioex xeioex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Otherwise looks good.

@bavshin-f5 bavshin-f5 force-pushed the bavshin/shared-state branch from 92501e2 to 165652e Compare July 29, 2025 04:14
@bavshin-f5 bavshin-f5 force-pushed the bavshin/shared-state branch from 165652e to 4d99b80 Compare July 29, 2025 19:00
@bavshin-f5
ACME: define and allocate shared data structures.
437d026
@bavshin-f5
ACME: restore previously issued certs from "state_path".
2a435bb 
Improves time to readiness after a full restart of the server.
@bavshin-f5
ACME: zeroize buffers with private keys after use.
cde9ae6 
We trust the SSL library to securely clear the EVP_PKEY objects, but
all the places where we may store a PEM data should be cleared by us.
@bavshin-f5 bavshin-f5 force-pushed the bavshin/shared-state branch from 4d99b80 to cde9ae6 Compare July 29, 2025 21:16
@bavshin-f5 bavshin-f5 merged commit 31fbbed into main Jul 30, 2025
13 checks passed
@bavshin-f5 bavshin-f5 deleted the bavshin/shared-state branch July 30, 2025 22:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xeioex xeioex xeioex approved these changes

@avahahn avahahn Awaiting requested review from avahahn

@ensh63 ensh63 Awaiting requested review from ensh63

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bavshin-f5 @xeioex