Allow hot reload of SSL certificates

[bentoi]

There's no easy way to hot reload certificates with IceSSL right now. With certificate authorities such as Let's Encrypt that delivers short-lived certificates, it would be good to add support for this to allow a process to reload the certificates without having to be restarted.

See also https://forums.zeroc.com/discussion/46665/can-glacier2-reload-ssl-certificates-at-runtime

We should also look into the ACME protocol to renew certificates and see if we can eventually integrate with it to make it easier to renew the certificates (although there are already clients which are doing this such a certbot... so this probably doesn't really belong to Ice).

[Hakky54]

I think it is already possible as it supports configuring a custom sslcontext as shown here: https://github.com/zeroc-ice/ice/blob/94ed83209787d3cb55f60318a9db5de1554a95c1/java/src/IceSSL/src/main/java/com/zeroc/IceSSL/Plugin.java#L24

A custom ssl context with reloadable option can be setup as shown here with the help of a library: sslcontext-kickstart so I think it can work out quite well with this kind of setup

[bernardnormier]

You're right, the solution is to provide easy access to the native SSL context / options (exact name is programming language dependent) and then let the application use this native SSL context capabilities to switch certificates over time.

The first step is to achieve this goal is to merge the IceSSL plugin into the Ice core. Having a plugin makes everything more complicated. See #1575.

[pepone]

This is now supported with the new APIs, we will upgrade 3.8 docs with concrete examples.