I have an implementation of reactor pattern in which I load the SSLContext when a TransportListener (Basically a listener listening on a given port for HTTPS connections.) is starting.
Then I call the same init() method again (through a JMX call to a listener's method)
sslContext.init(keyManagers, trustManagers, null);
once I add or remove a certificate to/from the trust store. I have to reload the SSLContext in order to avoid any down time in the listener.
So this is the problem I'm currently facing.
Suppose a request come to the listener and an connection is established. If I reload the SSLContext object before the response is returned to the client, will that affect the connection's SSLEngine object's wrap process which encrypts the payload before sending?
Note : I have validated that the same SSLContext object is being passed to all the SSLEngines.The SSLContext object is passed to several other objects when the Listener is starting. For example, I have a connection pool to which I have to pass this SSLContext object. Therefore creating a new SSLContext object will completely break the existing connections is the connection pool. That is why i'm trying to use the same SSLContext object.
You need to think this through. If you have an established connection, it has already had a certificate exchange, successfully, so it has no need of new certificates, so no need of a new or reinitialized
SSLContext, up to and including partial handshakes, e.g. to rekey the current session, or request a client certificate. It shouldn't use the SSLContext at all for anything short of a full handshake.What you need to do is starting using a new
SSLContextfor all the new connections that are going to need the new certificate. You don't need to do anything to existing connections, by definition.