Skip site navigation (1) Skip section navigation (2)

[PATCH] Reload SSL certificates on SIGHUP

From: Andreas Karlsson <andreas(at)proxel(dot)se>
To: PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: [PATCH] Reload SSL certificates on SIGHUP
Date: 2015-05-31 02:14:34
Message-ID: 556A6E8A.9030400@proxel.se (view raw, whole thread or download thread mbox)
Thread:
Lists: pgsql-hackers
Hi,

I have written a patch which makes it possible to change SSL 
certificates (and other SSL parameters, including the CRL) without 
restarting PostgreSQL. In fact this patch also makes it possible to turn 
on or off ssl entirely without restart. It does so by initializing a new 
SSL context when the postmaster receives a SIGHUP, and if the 
initialization succeeded the old context is replaced by the new.

There was some previous discussion[1] on the mailing list about what the 
proper context should be for the SSL parameters, but as far as I can 
tell the discussion never reached a conclusion. I have changed the SSL 
GUCs to PGC_SIGUP since I felt that was the closest to the truth, but it 
is not a perfect fit (the backends wont reload the SSL context). Should 
we add a new context for the SSL GUCs?

Notes

1. 
http://www.postgresql.org/message-id/flat/CAAS3tyLJcv-m0CqfMrrxUjwa9_FKscKuAKT9_L41wNuJZywM2Q(at)mail(dot)gmail(dot)com#CAAS3tyLJcv-m0CqfMrrxUjwa9_FKscKuAKT9_L41wNuJZywM2Q@mail.gmail.com

Andreas

Attachment: reload-ssl-v01.patch
Description: text/x-patch (19.2 KB)

Responses

pgsql-hackers by date

Next:From: Andreas KarlssonDate: 2015-05-31 02:22:36
Subject: Re: Fix autoconf deprecation warnings
Previous:From: David SteeleDate: 2015-05-31 01:51:04
Subject: Re: [CORE] postpone next week's release

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group