HTTPS Feature request: Hotswap TLS certificates

[fresheneesz]

I'd like to suggest that there be a way to swap out your TLS certificate (and TLS keys would be nice as well) without bringing your server down. This would enable me to properly do fully-automatic certificate renewal with something like Lets' Encrypt. Existing connections could keep using the old cert, but new connections would use the new one. Should be possible, right?

[mscdex]

Isn't this already possible via SNICallback?

[fresheneesz]

Ooo, looks like it is.. I'll have to try that.

[sam-github]

The docs say the SNICallback is only used if the client uses the SNI extension. Is that wrong? Will the SNICallback be used for every TLS handshake if defined?

[mscdex]

@sam-github Not wrong, but almost all modern clients are SNI-capable. There is an example supported client table here FWIW.

[addaleax]

See also #4464 (which makes sound like a duplicate of that?)

[bnoordhuis]

Closing as duplicate of #4464.