Re: Rotate SSL certificates on reload (SIGHUP) without restart

Hi Bob,

Thank you for the patch!

Unfortunately after applying the patch, the test failed. From
src/test/regression/log/042.ssl_reload:

===== ssl_ca_cert swap (client cert auth reload) =====
waiting for server to start....1462289 2026-04-16 19:25:49.490 JST LOG: redirecting log output to logging collector process
1462289 2026-04-16 19:25:49.490 JST HINT: Future log output will appear in directory "log".
done
server started
CA cert swap: CA1-signed client cert rejected before reload – unexpected.

From pgpool.log:

2026-04-16 19:26:10.150: child pid 1462331: DETAIL: Protocol Major: 1234 Minor: 5679 database: user:
2026-04-16 19:26:10.150: child pid 1462331: DEBUG: selecting backend connection
2026-04-16 19:26:10.150: child pid 1462331: DETAIL: SSLRequest from client
2026-04-16 19:26:10.150: child pid 1462331: DEBUG: pool_write: to frontend: kind:S po:0
2026-04-16 19:26:10.150: child pid 1462331: DEBUG: pool_flush_it: flush size: 1
2026-04-16 19:26:10.167: child pid 1462331: LOG: pool_ssl: "SSL_accept": "tlsv1 alert unknown ca"
2026-04-16 19:26:10.167: child pid 1462331: DEBUG: unable to read data from frontend
2026-04-16 19:26:10.167: child pid 1462331: DETAIL: socket read failed with error "Connection reset by peer"

Please let me know if you need more info.

Regards,
--
Tatsuo Ishii
SRA OSS K.K.
English: http://www.sraoss.co.jp/index_en/
Japanese:http://www.sraoss.co.jp

> Hi Tatsuo,
>
> Please see attached v2. It adds regression coverage for SSL cert reload
> with client certificate authentication; there are no functional code
> changes.
>
> Best regards,
> Bob
>
>
> On Tue, Apr 14, 2026 at 10:02 AM Tatsuo Ishii <ishii(at)postgresql(dot)org> wrote:
>
>> Hi Bob,
>>
>> > Hi Tatsuo,
>> >
>> > Please let me know if you need any assistance with updating your test
>> > cases. I am be happy to help.
>> >
>> > Thanks,
>> > Bob
>>
>> Sorry for late. I was busy with personal affairs and some other
>> projects.
>>
>> > On Thu, Apr 2, 2026 at 9:57 PM Bob Ross <bob(dot)ross(dot)19821(at)gmail(dot)com>
>> wrote:
>> >
>> >> Hi Tatsuo,
>> >>
>> >> Thanks for putting together the regression tests.
>> >>
>> >> Thoughts on your questions:
>> >> - CA Certificates - Yes, adding a cert auth test is highly recommended.
>> We
>> >> could test this by generating two different dummy CA certificates. Start
>> >> pgpool trusting CA #1, swap the config to CA #2, reload and verify if
>> >> client connection correctly gets rejected.
>>
>> If you could extend the test file I posted so that it performs a cert
>> auth test, that would be helpful.
>>
>> >> - DH parameters - perhaps we can test this by providing a non-existent
>> >> file path and then use grep to check pgpool.log for specific warning
>> >> message (per pool_ssl.c it’s “DH: could not load DH parameters”) when
>> >> pgpool tries to load the file.
>>
>> I think it will not work.
>>
>> ===================================================================
>> static bool
>> initialize_dh(SSL_CTX *context)
>> {
>> DH *dh = NULL;
>>
>> SSL_CTX_set_options(context, SSL_OP_SINGLE_DH_USE);
>>
>> if (pool_config->ssl_dh_params_file[0])
>> dh = load_dh_file(pool_config->ssl_dh_params_file);
>> if (!dh)
>> dh = load_dh_buffer(FILE_DH2048, sizeof(FILE_DH2048));
>> if (!dh)
>> {
>> ereport(WARNING,
>> (errmsg("DH: could not load DH
>> parameters")));
>> return false;
>> }
>> :
>> :
>> ===================================================================
>>
>> The ereport message is printed when the built-in DH parameter file is
>> broken. But as long as the source file is fine, it would never happen.
>>
>> Maybe we should fix the code above so that it emits ereport when it
>> fails to load the DH parameter file specified by ssl_dh_params_file?
>>
>> Regards,
>> --
>> Tatsuo Ishii
>> SRA OSS K.K.
>> English: http://www.sraoss.co.jp/index_en/
>> Japanese:http://www.sraoss.co.jp
>>