CRL reload and long life tcp connections


#1

Hi,

I have to use HAProxy to enforce TLS encryption to application flow.

I use following feature

  • Multiple server certificates
  • client certificate verify
  • crl checking

Application flow imply long life tcp connections, which have as consequence that we have to avoid to restart or reload configuration. Indeed as the reload keep current connections attached on original process, it will result in a multiplication of HAProxy instance.

It’s especially true with CRL refresh that I have to do periodically. Is there work in progress to add he hot reload of crl file?
For example using unix socket command, like to set new maxconn , it could allow to use these new data for new connections…

An over approach wil be to deal with long term connection during reload, but I haven’t found relevant resouces, only high availability seems to be handle.

Anyone have similar needs or may be solutions?

Regards