Automatic TLS Certificate Reload

Signed-off-by: Satheesha Chattenahalli Hanume Gowda <satheesha@apple.com>

Author: Satheesha Chattenahalli Hanume Gowda

src/config.c

@@ -3399,6 +3399,7 @@ standardConfig static_configs[] = {
 
     /* Tls configs */
     createIntConfig("tls-port", NULL, MODIFIABLE_CONFIG, 0, 65535, server.tls_port, 0, INTEGER_CONFIG, NULL, applyTLSPort), /* TCP port. */
+    createIntConfig("tls-cert-reload-interval_mins", NULL, MODIFIABLE_CONFIG, 0, INT_MAX, server.tls_ctx_config.cert_reload_interval_mins, 0, INTEGER_CONFIG, NULL, applyTlsCfg),
     createIntConfig("tls-session-cache-size", NULL, MODIFIABLE_CONFIG, 0, INT_MAX, server.tls_ctx_config.session_cache_size, 20 * 1024, INTEGER_CONFIG, NULL, applyTlsCfg),
     createIntConfig("tls-session-cache-timeout", NULL, MODIFIABLE_CONFIG, 0, INT_MAX, server.tls_ctx_config.session_cache_timeout, 300, INTEGER_CONFIG, NULL, applyTlsCfg),
     createBoolConfig("tls-cluster", NULL, MODIFIABLE_CONFIG, server.tls_cluster, 0, NULL, applyTlsCfg),

src/server.h

@@ -1587,6 +1587,7 @@ typedef struct serverTLSContextConfig {
     int session_caching;
     int session_cache_size;
     int session_cache_timeout;
+    int cert_reload_interval_mins;
 } serverTLSContextConfig;
 
 /*-----------------------------------------------------------------------------

src/tls.c

@@ -284,6 +284,8 @@ static SSL_CTX *createSSLContext(serverTLSContextConfig *ctx_config, int protoco
     return NULL;
 }
 
+static long long lastTlsConfigureTime = 0LL;
+
 /* Attempt to configure/reconfigure TLS. This operation is atomic and will
  * leave the SSL_CTX unchanged if fails.
  * @priv: config of serverTLSContextConfig.
@@ -296,6 +298,9 @@ static int tlsConfigure(void *priv, int reconfigure) {
     SSL_CTX *ctx = NULL;
     SSL_CTX *client_ctx = NULL;
 
+    serverLog(LL_DEBUG, "Configuring TLS");
+    lastTlsConfigureTime = server.ustime;
+
     if (!reconfigure && valkey_tls_ctx) {
         return C_OK;
     }
@@ -419,6 +424,18 @@ static int tlsConfigure(void *priv, int reconfigure) {
     return C_ERR;
 }
 
+static void tlsReconfigureIfNeeded(void) {
+    if (server.tls_ctx_config.cert_reload_interval_mins > 0) {
+        const long long configAgeMicros = server.ustime - lastTlsConfigureTime;
+        const long long configAgeMinutes = ((configAgeMicros / 1000) / 1000) / 60;
+        if (configAgeMinutes > server.tls_ctx_config.cert_reload_interval_mins) {
+            if (tlsConfigure(&server.tls_ctx_config, 1) == C_ERR) {
+                serverLog(LL_WARNING, "Unable to update TLS configuration. Check server logs.");
+            }
+        }
+    }
+}
+
 static ConnectionType CT_TLS;
 
 /* Normal socket connections have a simple events/handler correlation.
@@ -465,6 +482,8 @@ static void updateTLSError(tls_connection *conn) {
 }
 
 static connection *createTLSConnection(int client_side) {
+    // Reload the cert if needed for new connections
+    tlsReconfigureIfNeeded();
     SSL_CTX *ctx = valkey_tls_ctx;
     if (client_side && valkey_tls_client_ctx) ctx = valkey_tls_client_ctx;
     tls_connection *conn = zcalloc(sizeof(tls_connection));

valkey.conf

@@ -324,6 +324,12 @@ tcp-keepalive 300
 #
 # tls-session-cache-timeout 60
 
+# Specifies a periodic interval to check and hot-reload updated TLS certificate files from disk.
+# This is useful when certificates are renewed while the server is running.
+# A value of 0 (default) disables periodic cert reloading.
+#
+# tls-cert-reload-interval_mins 1440
+
 ################################### RDMA ######################################
 
 # Valkey Over RDMA is experimental, it may be changed or be removed in any minor or major version.