Skip to content

Fix race on client tls-auth and tls-auth enhancements#490

Open
bilias wants to merge 2 commits into
NLnetLabs:masterfrom
bilias:tls_auth_ctx
Open

Fix race on client tls-auth and tls-auth enhancements#490
bilias wants to merge 2 commits into
NLnetLabs:masterfrom
bilias:tls_auth_ctx

Conversation

@bilias

@bilias bilias commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Client SSL CTX moved out of xfrd_tcp_set struct into tls_auth_options struct.

CTXs for tls-auth are created before priv drop and before chroot (one CTX per tls-auth definition).
tp client pipeline re-uses the CTX template of tls-auth to create the SSL connections.

bilias added 2 commits June 6, 2026 10:53
cert-bundle and tls-auth certs can be outside of chroot and loaded
before priv drop. Can be owned by root only.

Client SSL CTX moved out of xfrd_tcp_set struct into tls_auth_options
struct. CTXs for tls-auth are created before chroot. tp pipeline uses
that to create the SSL connections.

This also fixes a race on SSL CTX.
Details: NLnetLabs#488
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant