[SR-Users] [sr-dev] Panning next major release - v4.4
Juha Heinanen
jh at tutpro.com
Sat Jan 9 01:12:23 CET 2016
Juha Heinanen writes:
> I just tried by replacing ca_list file of my proxy (that contained ca
> certs of my peers) with a single bogus ca cert. Then I executed tls.cfg
> and made a call from one of the peers to my proxy. My proxy still
> recognized the call as coming from the peer based on its tls common
> name. My understanding is that this should not have been possible if
> the cached ca_list of my proxy would have been updated.
It turned out that the old tls connection from the peer to my proxy was
still alive. After terminating the connection, a new connection setup
was correctly refused.
So looks like certs can be reloaded on the fly. I'll try later with
client and server certs.
-- Juha
More information about the sr-users
mailing list