Reload TLS certificates on SIGHUP

amatveev-cf · dormando · commit 4b9e6198fc44 · 2025-12-16T15:59:35.000-08:00
SIGHUP is the standard way of forcing daemons to reload their
configuration, but memcached only reloads TLS certificates in response
to the `refresh_certs` command, which requires a lot more work to issue.
When implementing automatic certificate updates, it's a lot more
straightforward to follow the standard signal-based approach.
diff --git a/doc/tls.txt b/doc/tls.txt
@@ -126,7 +126,8 @@ When this happens we want server to use the new certificate without restarting t
 Memcached is a cache and restarting servers affects the latency of applications. We implement
 the automatic certificate refresh through a command. Upon receiving the "refresh_certs" command,
 the server reloads the certificates and key to the SSL Context object. Existing connection won't be
-interrupted but new connections will use the new certificate.
+interrupted but new connections will use the new certificate. Additionally to the "refresh_certs"
+command, memcached also refreshes its certificates upon receiving the SIGHUP signal.
 
 We understand not all users want to use TLS or have the OpenSSL dependency. Therefore
 it's an optional module at the compile time. We can build a TLS capable Memcached server with
diff --git a/memcached.c b/memcached.c
@@ -3918,11 +3918,23 @@ static void clock_handler(const evutil_socket_t fd, const short which, void *arg
     // This function should be quick to avoid delaying the timer.
     assoc_start_expand(stats_state.curr_items);
     // also, if HUP'ed we need to do some maintenance.
-    // for now that's just the authfile reload.
+    // for now that's just the authfile and TLS certificates reload.
     if (settings.sig_hup) {
         settings.sig_hup = false;
 
         authfile_load(settings.auth_file);
+
+#ifdef TLS
+        if (settings.ssl_ctx != NULL) {
+            char *errmsg = NULL;
+            refresh_certs(&errmsg);
+            if (errmsg != NULL) {
+                vperror("Could not reload TLS certificates on SIGHUP: %s", errmsg);
+                free(errmsg);
+            }
+        }
+#endif
+
 #ifdef PROXY
         if (settings.proxy_ctx) {
             proxy_start_reload(settings.proxy_ctx);
