Details in https://github.com/apache/trafficserver/pull/6609
I'm proposing to add functionality for plugins to load certificate and key information on configuration load and reload. I propose adding a hook, TS_LIFESTYLE_SSL_SECRET_HOOK, and a pair of TS API's, TSSslSecretSet/Get. The hook gets triggered before the SSL_CTX is created. The continuation is called with the name of the certificate or key as the data argument. The plugin then can load the certificate/key information from some other source (e.g. a key server or just someplace else on disk as the ssl_secret_load_test.cc does in the PR). The plugin calls TSSslSecretSet to update the secret table. After the hooks are called, the core looks for the data in the secret_map. If it is not present, the core loads the data from disk and puts it in the map. The SSL_CTX creation logic operates on a mem_bio instead of using the file oriented forms of the cert and key loading calls. https://github.com/apache/trafficserver/blob/c011b03f79633674356eab1c37954aa8e5a06bfe/tests/tools/plugins/ssl_secret_load_test.cc shows an example plugin. This is used by the autests added in the PR. Given the secret name, it inserts an extra directory into the path and reads the certificate or key information from there. I am working on updating the PR to handle both client and server certificates. Currently the PR only supports client certificates. Please share your feedback via this email or the PR. Thanks, Susan
