Graceful crl reload

README.md

@@ -118,7 +118,8 @@ of Erlang property list.
 | `cacertfile_path`    | `/opt/ca/ca.crt.pem`               | SSLCACertificateFile  | Where is the client root CA located. Can be inside apps/epp_proxy/priv or absolute path.
 | `certfile_path`      | `/opt/ca/server.crt.pem`           | SSLCertificateFile    | Where is the server certificate located. Can be inside apps/epp_proxy/priv or absolute path.
 | `keyfile_path`       | `/opt/ca/server.key.pem`           | SSLCertificateKeyFile | Where is the server key located. Can be inside apps/epp_proxy/priv or absolute path.
-| `crlfile_path`       | `/opt/ca/crl.pem`                  | SSLCARevocationFile   | Where is the CRL file located. Can be inside apps/epp_proxy/priv or absolute path. When not set, not CRL check is performed.
+| `crlfile_path`       | `/opt/ca/crl`                      | SSLCARevocationFile   | Where is the CRL file located. Can be inside apps/epp_proxy/priv or absolute path. When not set, not CRL check is performed. CLRs in this directory must be rehashed by `c_rehash` command as per this solution (https://stackoverflow.com/posts/51480191/revisions) 
+
 
 
 Migrating from mod_epp

apps/epp_proxy/priv/test_ca/certs/revoked2.crt.pem

@@ -0,0 +1,35 @@
+-----BEGIN CERTIFICATE-----
+MIIGEDCCA/igAwIBAgICEAIwDQYJKoZIhvcNAQELBQAwgY0xCzAJBgNVBAYTAkVF
+MREwDwYDVQQIDAhIYXJqdW1hYTEQMA4GA1UEBwwHVGFsbGlubjEjMCEGA1UECgwa
+RWVzdGkgSW50ZXJuZXRpIFNpaHRhc3V0dXMxEjAQBgNVBAMMCWxvY2FsaG9zdDEg
+MB4GCSqGSIb3DQEJARYRaGVsbG9AaW50ZXJuZXQuZWUwHhcNMjAwNzIxMDczODEy
+WhcNMzAwNzE5MDczODEyWjB8MQswCQYDVQQGEwJFRTERMA8GA1UECAwISGFyanVt
+YWExIzAhBgNVBAoMGkVlc3RpIEludGVybmV0aSBTaWh0YXN1dHVzMRMwEQYDVQQD
+DApsb2NhbGhvc3QzMSAwHgYJKoZIhvcNAQkBFhFoZWxsb0BpbnRlcm5ldC5lZTCC
+AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ9WvaOOx8qB0/+zJ23hp9R2
+r6QUNMJWg3JDU2qJZuHZ19DWn47+fDjQORqmiFvNTDCp1EKskk4pykWEGtnwm7sn
+E2N9ovoNEmKfYkPiKHtweiHr0IoUsB9tZojSyaolGXxSLSXglXSp3zwB5v1boVOj
+7dEHxvK6QeLy/bYqzdVOsZEKcjz5UAjgnd4CfdS6IBW4Dgk1JMHZGMTFbrrVunB/
+No6FARisO+Aq11S3Ak9WyBoe2uUPS7RLdyy/EVGhbft6QE+ENc3gL7LHlQ2LjVUF
+2ISwG8ULl4f0A8tmyk3deD/SPGklQVG9M/1Yv7z5aTSB+1o03SPb4abJieY+RF3L
+zZO7oa7vzn52Z8gziNo5rMHX6Q+kLqkgnqRvR0Vk+qkbhsZHny68oFNZm8+TWqDW
+mZpMKR3vQEC19wfAuCxrBAC5XHLH/wY7kSng2PKUuRoACAsta9JmAnTeQtKFMj66
+wIe+nbr9Q03da3adVAOVRTrlsIuk/9vo5u4pOs2M+s5Q8kisI41Cm9EkNgmVAweY
+1LbyZXV1n/smzsHtjSkNco95dZtOVlAHW5GB7v1zj7Ensx96JMBvBq+0XCUMgCJX
+NYYvcB9YMLVfZuBaoe15wAx93utSefPgFHFYJ7/pjZMt088SbR9SCyNkYFOkNrdx
+abbntYS98CXFI4gB62rLAgMBAAGjgYkwgYYwCQYDVR0TBAIwADALBgNVHQ8EBAMC
+BeAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl
+MB0GA1UdDgQWBBQuphYluIrOLAaufOBOUUa3jqI/hzAfBgNVHSMEGDAWgBQrl0tO
+QaRq54QX5qF/OeLWzWZT9TANBgkqhkiG9w0BAQsFAAOCAgEAdTAqjYLbIBHOvcDW
+x1twozGlmtlob20TrmLaHq4jdv2azIcUK5RZukTaI2wbUWeDRmBe91m4m70KiEDp
+ToS1l6pJLzPl6y8Uh7yWRjpaMFnEOMMqYI5HoiBzSPC8JAp+JqKlb3Y0jU5/hOIt
+eT9C31tzuazShpdM1QR8H1SNT301hAlqIoy9gnCCfbaSg3qYciHUj/tMLvHUhAVy
+IFeceLPl+38zxxk2YD6Ed5YhUqeuIR/2ZViPBaLfPvPw4rIqEu0MkPM9TxJ45+xF
+OX+esXExCb+EoG6ZHjup3Re5kevxYAo3QKU+xbYCFlTTEv/UgHIyajCk8x1/flhC
+CZmfQVF/C9Lpv35MfaDWkzQ2zVcdQGoH8Q0mELpYgoN8npb33mahVP8qxqWHzAdT
+o99CZMuUhVsbEtgDsZjxp6CrRDL8X99dxVEWwDwXzY3RgKuxLhCAUH7bhg0+ul0L
+xGId9GjHqX46/bN9UCOtrFh8eJlGnFw6I2shNiPauV2CW4SOi/Awzjm2lAN0KFXX
+iuGzVH9jVDtiGeLreGehXKByyjX3Zrwv3eMkhF+aJUuin/i5APRe4OWBGp4sfDra
+MlFPI+JKDO5011RGgIB75PiqnRIDUtGe8ybjjXlGdnJ7WPW1YfygWXGCVkH19Iyt
+aMmvcKiYLxhrpUFiSXj78qBN/Pw=
+-----END CERTIFICATE-----

apps/epp_proxy/priv/test_ca/crl/crl2.pem

@@ -0,0 +1,20 @@
+-----BEGIN X509 CRL-----
+MIIDNjCCAR4CAQEwDQYJKoZIhvcNAQELBQAwgY0xCzAJBgNVBAYTAkVFMREwDwYD
+VQQIDAhIYXJqdW1hYTEQMA4GA1UEBwwHVGFsbGlubjEjMCEGA1UECgwaRWVzdGkg
+SW50ZXJuZXRpIFNpaHRhc3V0dXMxEjAQBgNVBAMMCWxvY2FsaG9zdDEgMB4GCSqG
+SIb3DQEJARYRaGVsbG9AaW50ZXJuZXQuZWUXDTIwMDcyMTA3MzgyOFoXDTMwMDcx
+OTA3MzgyOFowKjATAgIQARcNMjAwNzE3MTExMjAyWjATAgIQAhcNMjAwNzIxMDcz
+ODIyWqAwMC4wHwYDVR0jBBgwFoAUK5dLTkGkaueEF+ahfzni1s1mU/UwCwYDVR0U
+BAQCAhABMA0GCSqGSIb3DQEBCwUAA4ICAQAfqwrQHPHnj/QDS2zIlEn3YxfpCnla
+x3oaqryp8NRFwj49xkvH2gKrZlLj0yjO3mw0ZJXAsGbADIdqm8nVkFLg+2DyIXlp
+nvF9xpXk5sCMqXggcvm1qWXr76xgoq7DMRNw6usynej5ez1xWlPwcVunjJIUKk+x
+IM/9l6FyJpeuRv3xWlXdBGLz/WtH0+ycS/Ekl03fsMNaI4ZTefTt3tvORiK5apT8
+4oVnjEWneGfDFfIdj/N/wFphGwxLqo9RuITzupqg/RrXbe1/Z06V7TDPhXMGQyZx
+xM8kw4Cikj+VeQw/5nKWeuYD8/wnbex9XFK797HFjG+ReOGaPgFHu/A9ux35FM+6
+hXL1AS1Dv/04U5Siu8i9TatFUEgaLn0VAPoarPiy6kaa9wEne9dJ6C+LlQVxPQsr
+Yhjpp9DRtbmvJxuWredmI7sPmIcLdbpRu7gyxQYgFsQT7dcRCGgPR+viIfOkiquq
+dx2mhV4mHZxSLegXsLZ2X7bqXgb04YSBKxfRxfWizQfEJLonW+VI8enKh210Aw4R
+rch+igPxLHrZKBG/QcRzLI1wh5fZwW4ML5b4dMnJeDv7/8AfJufTtmpYg/AXAI80
+6SJsbHxJ242e3zzmO7FQ7aUz+Y24zrNsdtJvdTgEB0TTzrSfAJZoeZ6y8YCm4pyw
+pJeV6jyetNaivw==
+-----END X509 CRL-----

apps/epp_proxy/priv/test_ca/crl/d17a9cf0.r0

@@ -0,0 +1 @@
+crl.pem

apps/epp_proxy/priv/test_ca/crl/d17a9cf0.r1

@@ -0,0 +1 @@
+crl2.pem

apps/epp_proxy/priv/test_ca/crl/first/crl.pem

@@ -0,0 +1,19 @@
+-----BEGIN X509 CRL-----
+MIIDITCCAQkCAQEwDQYJKoZIhvcNAQELBQAwgY0xCzAJBgNVBAYTAkVFMREwDwYD
+VQQIDAhIYXJqdW1hYTEQMA4GA1UEBwwHVGFsbGlubjEjMCEGA1UECgwaRWVzdGkg
+SW50ZXJuZXRpIFNpaHRhc3V0dXMxEjAQBgNVBAMMCWxvY2FsaG9zdDEgMB4GCSqG
+SIb3DQEJARYRaGVsbG9AaW50ZXJuZXQuZWUXDTIwMDcxNzExMTIwOVoXDTMwMDcx
+NTExMTIwOVowFTATAgIQARcNMjAwNzE3MTExMjAyWqAwMC4wHwYDVR0jBBgwFoAU
+K5dLTkGkaueEF+ahfzni1s1mU/UwCwYDVR0UBAQCAhAAMA0GCSqGSIb3DQEBCwUA
+A4ICAQA8EGqpuVnqlM04otgIoFPDYGqYhv7wTCQFx3iIS5KgEh2E96iHACVi3Q6m
+5RmYv1LIrcrrY9GGW8Vgv4lOyPOzpGawCWfrnhGABe5nE5MG591O2X2CQmCjZmL7
+ga0ZPRzHfXTs9XTxBFslcmUXQipy2/sG623Db7/OIZQio7c9F6zfC6cb8ebVxpPD
+nstrMOtzpU/nJqytT5KiBeA5Kr2zJqmpwvqZKzRmrM4gFQBtuy2x2qXbjr+CfSIA
+DDpkE/Q90aRNqZ1dGvMl+GvOqabndoTlUBwBkRt5SkxXDNiYfLaj3y6CiMR3TAVV
+W0pryjUXJ/s2VVCnqSsC2y7jCMSQk7dkcjOlmIJidoJTyqwrAnRptKoLEBp24qe+
+o8DCaWW4jcQSwCgZK3M5YxvOfugZ1I91zuK9HIIRZNJhANiKuzPi+4uwK1JxOzY4
+uI/9Q7bkhDrPSea9b3vdsO+5kfdjnxx/21mVSLqsllm8Gnl2cA80IBXSYOB9JTTV
+5vn0+QAW1GrRH5VzmVo/lTW+qj73EfejLy/g6s+I5W9dQcQl9IRerDR90mXsE1ll
+MPRQQHxNERtHDg2Rg8flwYl5gE3e7OO2xKlr1jyI1F9QSTsQHQQJCpOJsevJzIkO
+jJ+LfUfVcjp+uxa/KOulfgBi13Lco1Yfn9oEgIMPd+zUQvL9HQ==
+-----END X509 CRL-----

apps/epp_proxy/priv/test_ca/crl/first/d17a9cf0.r0

@@ -0,0 +1 @@
+crl.pem

apps/epp_proxy/priv/test_ca/crl/second/crl2.pem

@@ -0,0 +1,20 @@
+-----BEGIN X509 CRL-----
+MIIDNjCCAR4CAQEwDQYJKoZIhvcNAQELBQAwgY0xCzAJBgNVBAYTAkVFMREwDwYD
+VQQIDAhIYXJqdW1hYTEQMA4GA1UEBwwHVGFsbGlubjEjMCEGA1UECgwaRWVzdGkg
+SW50ZXJuZXRpIFNpaHRhc3V0dXMxEjAQBgNVBAMMCWxvY2FsaG9zdDEgMB4GCSqG
+SIb3DQEJARYRaGVsbG9AaW50ZXJuZXQuZWUXDTIwMDcyMTA3MzgyOFoXDTMwMDcx
+OTA3MzgyOFowKjATAgIQARcNMjAwNzE3MTExMjAyWjATAgIQAhcNMjAwNzIxMDcz
+ODIyWqAwMC4wHwYDVR0jBBgwFoAUK5dLTkGkaueEF+ahfzni1s1mU/UwCwYDVR0U
+BAQCAhABMA0GCSqGSIb3DQEBCwUAA4ICAQAfqwrQHPHnj/QDS2zIlEn3YxfpCnla
+x3oaqryp8NRFwj49xkvH2gKrZlLj0yjO3mw0ZJXAsGbADIdqm8nVkFLg+2DyIXlp
+nvF9xpXk5sCMqXggcvm1qWXr76xgoq7DMRNw6usynej5ez1xWlPwcVunjJIUKk+x
+IM/9l6FyJpeuRv3xWlXdBGLz/WtH0+ycS/Ekl03fsMNaI4ZTefTt3tvORiK5apT8
+4oVnjEWneGfDFfIdj/N/wFphGwxLqo9RuITzupqg/RrXbe1/Z06V7TDPhXMGQyZx
+xM8kw4Cikj+VeQw/5nKWeuYD8/wnbex9XFK797HFjG+ReOGaPgFHu/A9ux35FM+6
+hXL1AS1Dv/04U5Siu8i9TatFUEgaLn0VAPoarPiy6kaa9wEne9dJ6C+LlQVxPQsr
+Yhjpp9DRtbmvJxuWredmI7sPmIcLdbpRu7gyxQYgFsQT7dcRCGgPR+viIfOkiquq
+dx2mhV4mHZxSLegXsLZ2X7bqXgb04YSBKxfRxfWizQfEJLonW+VI8enKh210Aw4R
+rch+igPxLHrZKBG/QcRzLI1wh5fZwW4ML5b4dMnJeDv7/8AfJufTtmpYg/AXAI80
+6SJsbHxJ242e3zzmO7FQ7aUz+Y24zrNsdtJvdTgEB0TTzrSfAJZoeZ6y8YCm4pyw
+pJeV6jyetNaivw==
+-----END X509 CRL-----

apps/epp_proxy/priv/test_ca/crl/second/d17a9cf0.r0

@@ -0,0 +1 @@
+crl2.pem

apps/epp_proxy/priv/test_ca/csrs/revoked2.csr.pem

@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIE1DCCArwCAQAwgY4xCzAJBgNVBAYTAkVFMREwDwYDVQQIDAhIYXJqdW1hYTEQ
+MA4GA1UEBwwHVGFsbGlubjEjMCEGA1UECgwaRWVzdGkgSW50ZXJuZXRpIFNpaHRh
+c3V0dXMxEzARBgNVBAMMCmxvY2FsaG9zdDMxIDAeBgkqhkiG9w0BCQEWEWhlbGxv
+QGludGVybmV0LmVlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAn1a9
+o47HyoHT/7MnbeGn1HavpBQ0wlaDckNTaolm4dnX0Nafjv58ONA5GqaIW81MMKnU
+QqySTinKRYQa2fCbuycTY32i+g0SYp9iQ+Ioe3B6IevQihSwH21miNLJqiUZfFIt
+JeCVdKnfPAHm/VuhU6Pt0QfG8rpB4vL9tirN1U6xkQpyPPlQCOCd3gJ91LogFbgO
+CTUkwdkYxMVuutW6cH82joUBGKw74CrXVLcCT1bIGh7a5Q9LtEt3LL8RUaFt+3pA
+T4Q1zeAvsseVDYuNVQXYhLAbxQuXh/QDy2bKTd14P9I8aSVBUb0z/Vi/vPlpNIH7
+WjTdI9vhpsmJ5j5EXcvNk7uhru/OfnZnyDOI2jmswdfpD6QuqSCepG9HRWT6qRuG
+xkefLrygU1mbz5NaoNaZmkwpHe9AQLX3B8C4LGsEALlccsf/BjuRKeDY8pS5GgAI
+Cy1r0mYCdN5C0oUyPrrAh76duv1DTd1rdp1UA5VFOuWwi6T/2+jm7ik6zYz6zlDy
+SKwjjUKb0SQ2CZUDB5jUtvJldXWf+ybOwe2NKQ1yj3l1m05WUAdbkYHu/XOPsSez
+H3okwG8Gr7RcJQyAIlc1hi9wH1gwtV9m4Fqh7XnADH3e61J58+AUcVgnv+mNky3T
+zxJtH1ILI2RgU6Q2t3Fptue1hL3wJcUjiAHrassCAwEAAaAAMA0GCSqGSIb3DQEB
+CwUAA4ICAQApchMGYc4YX8s67DrFX0xZkP/ofRpq3OPrWvAGHtsWEUGvy/ItzCSc
+OxUNMlrE3f+eOGObZFllS2T+KFEeE+V54wVDIj7OtNup9Np0M2keIu5A5nVEOYiN
+fjFjM/NyeKbWwtLzUJitbhxWGXR1WLGCM98k3qF40siCBvsIGINUx7N9g1c/VmaA
+//Pifihlm7gvfBuiYHCU8mOuxQs2JMYfdh/MJ3fo8iqGY7dfY+aH7Cx3y1WCbR7v
+54RNJylGXTapI81bRe5AHIFQohzUf3LzHS7EeBSMzEMOmEXhAoy4MJk9uI27L96E
+2hYIr20Xza43dq2JWQKgshl5FDtcGrVD6JMg1+/mDaZCxVENrDelRXD7TaAUo8Sh
+BPHixdsjNzxWaE8njhDilZ4xY8id3UHRtCtK6TRrmbvuiUoD+VWu7SW7ZLXmnHLq
+5OIcZv40gMKiBJOQuvgChM3h0hxuH11elFChk7CyzyUU/xa4qzvdkFFMrVOaO41p
+jtVLppMIdA34XFqmxufZoi5UsjZqQKaOG8uVKYbLCQks0mLYfhs8ArFugsVu6jdl
+sXMp3tDrSukNZOrgoS5SenJ1nNew17hSr+hH1n6I4cccsg39izRNGUF7mHyib713
+ugaNnZFBeZ29W71dvJtnLa+sNISjGVbbBwDQ4P+1kCNokGhifoVPgA==
+-----END CERTIFICATE REQUEST-----

apps/epp_proxy/priv/test_ca/generate_certificates.sh

@@ -11,5 +11,12 @@ openssl ca -config openssl.cnf -keyfile private/ca.key.pem -cert certs/ca.crt.pe
 
 openssl ca -config openssl.cnf -keyfile private/ca.key.pem -cert certs/ca.crt.pem -crldays 3650 -gencrl -out crl/crl.pem
 
+openssl genrsa -out private/revoked2.key.pem 4096
+openssl req -sha256 -config openssl.cnf -new -days 3650 -key private/revoked2.key.pem -out csrs/revoked2.csr.pem
+openssl ca -config openssl.cnf -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/revoked2.csr.pem -days 3650 -out certs/revoked2.crt.pem
+openssl ca -config openssl.cnf -keyfile private/ca.key.pem -cert certs/ca.crt.pem -revoke certs/revoked2.crt.pem
+
+openssl ca -config openssl.cnf -keyfile private/ca.key.pem -cert certs/ca.crt.pem -crldays 3650 -gencrl -out crl/crl2.pem
+
 openssl req -config openssl.cnf -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout private/apache.key -config server.csr.cnf
 openssl x509 -req -in server.csr -CA certs/ca.crt.pem  -CAkey private/ca.key.pem -CAcreateserial -out certs/apache.crt -days 3650 -sha256 -extfile v3.ext

apps/epp_proxy/priv/test_ca/private/revoked2.key.pem

@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIJJwIBAAKCAgEAn1a9o47HyoHT/7MnbeGn1HavpBQ0wlaDckNTaolm4dnX0Naf
+jv58ONA5GqaIW81MMKnUQqySTinKRYQa2fCbuycTY32i+g0SYp9iQ+Ioe3B6IevQ
+ihSwH21miNLJqiUZfFItJeCVdKnfPAHm/VuhU6Pt0QfG8rpB4vL9tirN1U6xkQpy
+PPlQCOCd3gJ91LogFbgOCTUkwdkYxMVuutW6cH82joUBGKw74CrXVLcCT1bIGh7a
+5Q9LtEt3LL8RUaFt+3pAT4Q1zeAvsseVDYuNVQXYhLAbxQuXh/QDy2bKTd14P9I8
+aSVBUb0z/Vi/vPlpNIH7WjTdI9vhpsmJ5j5EXcvNk7uhru/OfnZnyDOI2jmswdfp
+D6QuqSCepG9HRWT6qRuGxkefLrygU1mbz5NaoNaZmkwpHe9AQLX3B8C4LGsEALlc
+csf/BjuRKeDY8pS5GgAICy1r0mYCdN5C0oUyPrrAh76duv1DTd1rdp1UA5VFOuWw
+i6T/2+jm7ik6zYz6zlDySKwjjUKb0SQ2CZUDB5jUtvJldXWf+ybOwe2NKQ1yj3l1
+m05WUAdbkYHu/XOPsSezH3okwG8Gr7RcJQyAIlc1hi9wH1gwtV9m4Fqh7XnADH3e
+61J58+AUcVgnv+mNky3TzxJtH1ILI2RgU6Q2t3Fptue1hL3wJcUjiAHrassCAwEA
+AQKCAgBl068ZiTOQ7Osoa7t081Kn6rlQaEFXOKaELRZv7SM8jlTnd2E8ptGIFTmJ
+GIfn8wkPyFiHy3UsUnSbfFMUmDlNnyk62Z1/oz7um+DWdP9d84F5kBQTSilLzERM
+iDisbU0eL/3+SMn6ZlztImIV46rzor1makvv7qwQdy1Ab5ZfDQ1ZHY3n/YPySGla
+6ci0W8YJWzhNFhNJdo3noiyjZdbh8cpRxhnvRJJ3Lamyz8nAHjt+xd0pqV6998RP
+akONIVcB8RyMNHeV/AE/hWBx6Y8GmNfH5Cu6/y91iLGsGSKMJE6mqppEr7RQolNJ
+QqA2CkX7cl3JRiNUuT45sm5YH87cCCjcgYvP/OlKkW/aEx/69v/i3MpISxoXgAGt
+F2zRuqGdYwKAeheQ/D7bdIiAkfAIL0HinVpJOuGDVT6RNCCzoRpJRaHwq+Rmx/TD
+wV4wAJ8Fcc1WGyOOYg86cjZa12wljGucy/m88jN0x4si2nctg123rN0Z4TEx9xfU
+Olo2WIiNDiyL/wWI+bZUo/ucNO4buheeRiadmHrXU7rAKujWeeyN2fbOkJQnx4J8
+T1HNBTDG/wnblKc3JmkBxyWDo1Cz+Bj3qkA5cjCIIBbwo0vxzh7Qv4hdCiT6Ibbs
+NDpMvkhp5zbw4gittGwZwxHxJtVaHrk9gRgkP8tjJQ9TrGjzEQKCAQEAzP5h6U/c
+4yUTuOP2tWKAD96Lpq3LfaHTLbi0HzW7343AH1LvCEJsApMkkhWeqxxVSvqQL04r
+xgBAGzzwlNB8rmGYckSQ5F1u0Y2bMxxEjKuYMgDmuAlG9xzpySSTHqWqyruF6Vng
+xd8XxAFS3Jxw0hNuypd+ZQLhPdqsZVsZza4hQ/g5hdHFeSH/iBkdJGSvTEyBqT5v
+pfCa9IW2NWZZcKHZZ+YM/ZrogJlEuattrM6EfyK6C52yGFBCCCggUveF+E/krdVI
+ggQqJoegXdSF3ostxgA+O73Bg+0We6F1Ps4xMJiq8B2w7DwVoaPj1oBaUrQtMH2H
+TdMJ+Yiut25XhwKCAQEAxvxAUVVkm8H61G8TZy3VT2djucN382+Q2oCjGzV7vCXS
+mQLPaGN6S7xUX9uixDmvgxmhfDDuiRNqyNoOQV9VEQj7yGysANFJ4dHm4UPXXvDH
+P70JPkDIWhFkAM7N6B0t6wASt9MMYAx64dpyWT75vbXUy008J6E5jQZkpDV3m9qx
+unYwYR+rv3Srg+5Fw210LrthBw9CWqd3rUQ99yb2INlqqahxQr4RNX+8o/4AFGuM
+93t2qmZeN86rSOrigJzfKYeo/h2GP4DR4Ll+yPQNiIwy5W/qbgty1Fd8C3b+Ey1b
+K4VxadQC0yL2u/P/SBRqa4vJ7j6rM7NrU8lY9/ebnQKCAQAlLAu9Lwoy9ko5QL0/
+7vih6A0S0HkR8wJETDX9YtUKmL258GP/72t+nAgJpXn8NUsSKZVzvo0Zfnohdk95
+7MRvKqtmLSDJCFhMD42RGxMjHwqeJqOvw57muIt8OfGjoQ7zbEXAJtgniWjZ1hOc
+hZG/xl5UxlvZHUiS2tBgIMDxFx5ZIO3tYjiY2p1npIYwT0GqaEUq13OPd63hoU2F
+KWYWkoLF4GWCp1B54VEhCgD9UQWduEJcUOA2oHcY243g/ZmBiZtCGmbnjLHIAtgF
+q8AKtto6CVk/pA0vSxLEoGaOWP16fnSgzgGDFPInOXzbLLM0RA/dtyWN6zLn2O01
+vgCJAoIBAHf6AmHH5hiP9kf+DSnqFbKBuTx5Yiqyexlz9GRkdA22lGtTqXDcghGG
+JS2DBXng+jVGz/pMmpal0X33FB9Qdr8FtqJa+76mcjCpWdc7C3GgJdMFjLwvXV4J
+HE3sY3Rvm48VBTQ3GUAUZkclakrrULOVHg/SqtGOQWAJmcb0wgCD9SNjPbph2TFg
+DEZI9WFm7mV6737NMYntbZhYDDCoGkEmNkzDVj8S0Nd8BGawsKWfT2is1ZjajjaB
+8v7NOPKpI1ksBbXqYVaKuoEP9yT9GefZ+JokR6pAVuU3NoDHJ1yyvUTZec+AWI+r
+hi8/aA2y2ZOsvn1a5ekPZkgnn/ArKHUCggEAHGfHVEg/k6AtBggtwfVRJAYviDh+
+7lfWCJxDZozC6/Lny/kexJcvHERuxDlp+E0Oa3ZHXaxlzG0yaGGXbfrilmSpDmmH
+Y1UXjXHTf/slP3fpTZVeibr6HOlVMnZEQEwJjEufvJRXXl+pc5zvqbD3ng8qI+Tf
+gJKCFGz+QabzTyEloI4shgjZcC985MHKej4Cmo+BhsSRwBugthfVF74SzejkbJe7
+nh/tpQ0dm5JvH/seNCkNYEZLOmT7aMy1eikdra6Xth+temDFqpNfwJAfby9rPunq
+3CEqQJxzNgr/GzuoV/yj/V/r71af+0C+MRqpu7Z8Dc4RFkntnix51cLUpg==
+-----END RSA PRIVATE KEY-----

apps/epp_proxy/src/epp_proxy_sup.erl

@@ -60,8 +60,11 @@ init([]) ->
     MemoryMonitor = #{id => memory_monitor, type => worker,
 		      modules => [memory_monitor],
 		      start => {memory_monitor, start_link, []}},
+		TLSMonitor = #{id => epp_tls_monitor, type => worker,
+			modules => [epp_tls_monitor],
+			start => {epp_tls_monitor, start_link, []}},
     SharedSpecs = [TLSAcceptor, PoolSupervisor,
-		   MemoryMonitor],
+		   MemoryMonitor, TLSMonitor],
     ChildrenSpec = case ?DevMode of
 		     {ok, true} -> [TCPAcceptor | SharedSpecs];
 		     _ -> SharedSpecs

apps/epp_proxy/src/epp_tls_acceptor.erl

@@ -10,7 +10,7 @@
 
 %% gen_server callbacks
 -export([handle_call/3, handle_cast/2, init/1,
-	 start_link/1]).
+	 start_link/1, terminate/2]).
 
 -export([crl_file/0]).
 
@@ -52,6 +52,9 @@ handle_cast(accept,
      State#state{socket = ListenSocket, port = Port,
 		 options = Options}}.
 
+terminate(_Reason, _State) ->
+    ok.
+
 handle_call(_E, _From, State) -> {noreply, State}.
 
 %% Create a worker process. These are short lived and should not be restarted,
@@ -88,15 +91,15 @@ crl_file() ->
       {ok, CrlFile} -> epp_util:path_for_file(CrlFile)
     end.
 
+
 %% In some environments, we do not perform a CRL check. Therefore, we need
 %% different options proplist.
 handle_crl_check_options(Options) ->
     case application:get_env(epp_proxy, crlfile_path) of
       undefined -> Options;
-      {ok, _CrlFile} ->
-	  ssl_crl_cache:insert({file, crl_file()}),
+      {ok, CrlFile} ->
 	  NewOptions = [{crl_check, peer},
-			{crl_cache, {ssl_crl_cache, {internal, [{http, 5000}]}}}
+			{crl_cache, {ssl_crl_hash_dir, {internal, [{dir, epp_util:path_for_file(CrlFile)}]}}}
 			| Options],
 	  NewOptions
     end.

apps/epp_proxy/src/epp_tls_monitor.erl

@@ -0,0 +1,78 @@
+%%%-------------------------------------------------------------------
+%%% @doc
+%%%
+%%% Monitor module for reloading epp_tls_acceptor on runtime
+%%% Used to renew CRLs once in 30 minutes
+%%% @end
+%%% Created: 20 Feb 2020
+%%%-------------------------------------------------------------------
+-module(epp_tls_monitor).
+
+-behaviour(gen_server).
+
+-define(THIRTY_MINUTES_IN_MS, 30 * 60 * 1000).
+
+-export([init/1, start_link/0]).
+
+-export([code_change/3, handle_call/3, handle_cast/2,
+  handle_info/2, terminate/2]).
+
+-export([reload_acceptor/0]).
+
+-record(state, {timer_ref  :: timer:tref()}).
+
+-type state() :: #state{}.
+
+-spec start_link() -> ignore | {error, _} | {ok, pid()}.
+
+start_link() ->
+  gen_server:start_link({local, ?MODULE}, ?MODULE, [],
+    []).
+
+-spec init([]) -> {ok, state()}.
+
+init([]) ->
+  TimerReference = erlang:send_after(?THIRTY_MINUTES_IN_MS, self(), reload_acceptor),
+  erlang:send(self(), reload_acceptor),
+  {ok, #state{timer_ref = TimerReference}}.
+
+%%%-------------------------------------------------------------------
+%%% GenServer callbacks
+%%%-------------------------------------------------------------------
+-spec handle_call(_, _, State) -> {stop,
+  not_implemented, State}.
+
+handle_call(_M, _F, State) ->
+  {stop, not_implemented, State}.
+
+-spec handle_cast(_, State) -> {stop, not_implemented,
+  State}.
+
+handle_cast(_M, State) ->
+  {stop, not_implemented, State}.
+
+-spec handle_info(reload_acceptor, _) -> {noreply, _}.
+
+handle_info(reload_acceptor, State = #state{timer_ref = TimerReference}) ->
+  _ = erlang:cancel_timer(TimerReference, [{async, true}, {info, false}]),
+  TRef = erlang:send_after(?THIRTY_MINUTES_IN_MS, self(), reload_clr_file),
+  ok = reload_acceptor(),
+  {noreply, State#state{timer_ref = TRef}}.
+
+-spec terminate(_, state()) -> ok.
+
+terminate(_Reason, State) ->
+  _ = erlang:cancel_timer(State#state.timer_ref, [{async, true}, {info, false}]),
+  ok.
+
+-spec code_change(_, _, _) -> {ok, _}.
+
+code_change(_OldVersion, State, _Extra) -> {ok, State}.
+
+%%%-------------------------------------------------------------------
+%%% Internal functions
+%%%-------------------------------------------------------------------
+reload_acceptor() ->
+  supervisor:terminate_child(epp_proxy_sup, epp_tls_acceptor),
+  supervisor:restart_child(epp_proxy_sup, epp_tls_acceptor),
+  ok.

apps/epp_proxy/src/epp_tls_worker.erl

@@ -7,7 +7,7 @@
 -include("epp_proxy.hrl").
 
 %% gen_server callbacks
--export([handle_call/3, handle_cast/2, init/1,
+-export([handle_call/3, handle_cast/2, init/1, handle_info/2,
 	 start_link/1]).
 
 -export([code_change/3]).
@@ -56,7 +56,7 @@ handle_cast(greeting,
 						headers => Headers,
 						cl_trid => nomatch}),
     {_Status, Body} = epp_http_client:request(Request),
-    frame_to_socket(Body, Socket),
+    frame_to_socket(Body, Socket, State),
     gen_server:cast(self(), process_command),
     {noreply,
      State#state{socket = Socket, session_id = SessionId}};
@@ -93,7 +93,7 @@ handle_cast(process_command,
 						      cl_trid => ClTRID})
     end,
     {_Status, Body} = epp_http_client:request(Request),
-    frame_to_socket(Body, Socket),
+    frame_to_socket(Body, Socket, State),
     %% On logout, close the socket.
     %% Else, go back to the beginning of the loop.
     if Command =:= "logout" ->
@@ -109,16 +109,25 @@ handle_cast(process_command,
 
 handle_call(_E, _From, State) -> {noreply, State}.
 
+handle_info(ssl_closed, State) ->
+	{stop, normal, State};
+handle_info(_Info, State) ->
+	{noreply, State}.
+
 code_change(_OldVersion, State, _Extra) -> {ok, State}.
 
 %% Wrap a message in EPP frame, and then send it to socket.
-frame_to_socket(Message, Socket) ->
+frame_to_socket(Message, Socket, State) ->
     Length = epp_util:frame_length_to_send(Message),
     ByteSize = <<Length:32/big>>,
     CompleteMessage = <<ByteSize/binary, Message/binary>>,
-    write_line(Socket, CompleteMessage).
+    write_line(Socket, CompleteMessage, State).
 
-write_line(Socket, Line) -> ok = ssl:send(Socket, Line).
+write_line(Socket, Line, State) ->
+	case ssl:send(Socket, Line) of
+		ok -> ok;
+		{error, closed} -> {stop, normal, State}
+	end.
 
 frame_from_socket(Socket, State) ->
     case ssl:recv(Socket, 0, ?DefaultTimeout) of