Re: Rotate SSL certificates on reload (SIGHUP) without restart

Hi Bob,

> Hi Tatsuo,
>
> Please let me know if you need any assistance with updating your test
> cases. I am be happy to help.
>
> Thanks,
> Bob

Sorry for late. I was busy with personal affairs and some other
projects.

> On Thu, Apr 2, 2026 at 9:57 PM Bob Ross <bob(dot)ross(dot)19821(at)gmail(dot)com> wrote:
>
>> Hi Tatsuo,
>>
>> Thanks for putting together the regression tests.
>>
>> Thoughts on your questions:
>> - CA Certificates - Yes, adding a cert auth test is highly recommended. We
>> could test this by generating two different dummy CA certificates. Start
>> pgpool trusting CA #1, swap the config to CA #2, reload and verify if
>> client connection correctly gets rejected.

If you could extend the test file I posted so that it performs a cert
auth test, that would be helpful.

>> - DH parameters - perhaps we can test this by providing a non-existent
>> file path and then use grep to check pgpool.log for specific warning
>> message (per pool_ssl.c it’s “DH: could not load DH parameters”) when
>> pgpool tries to load the file.

I think it will not work.

===================================================================
static bool
initialize_dh(SSL_CTX *context)
{
DH *dh = NULL;

SSL_CTX_set_options(context, SSL_OP_SINGLE_DH_USE);

if (pool_config->ssl_dh_params_file[0])
dh = load_dh_file(pool_config->ssl_dh_params_file);
if (!dh)
dh = load_dh_buffer(FILE_DH2048, sizeof(FILE_DH2048));
if (!dh)
{
ereport(WARNING,
(errmsg("DH: could not load DH parameters")));
return false;
}
:
:
===================================================================

The ereport message is printed when the built-in DH parameter file is
broken. But as long as the source file is fine, it would never happen.

Maybe we should fix the code above so that it emits ereport when it
fails to load the DH parameter file specified by ssl_dh_params_file?

Regards,
--
Tatsuo Ishii
SRA OSS K.K.
English: http://www.sraoss.co.jp/index_en/
Japanese:http://www.sraoss.co.jp