[PATCH] Reload SSL certificates on SIGHUP

From: Andreas Karlsson <andreas(at)proxel(dot)se>
To: PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: [PATCH] Reload SSL certificates on SIGHUP
Date: 2015-05-31 02:14:34
Message-ID: 556A6E8A.9030400@proxel.se
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Hi,

I have written a patch which makes it possible to change SSL
certificates (and other SSL parameters, including the CRL) without
restarting PostgreSQL. In fact this patch also makes it possible to turn
on or off ssl entirely without restart. It does so by initializing a new
SSL context when the postmaster receives a SIGHUP, and if the
initialization succeeded the old context is replaced by the new.

There was some previous discussion[1] on the mailing list about what the
proper context should be for the SSL parameters, but as far as I can
tell the discussion never reached a conclusion. I have changed the SSL
GUCs to PGC_SIGUP since I felt that was the closest to the truth, but it
is not a perfect fit (the backends wont reload the SSL context). Should
we add a new context for the SSL GUCs?

Notes

1.
http://www.postgresql.org/message-id/flat/CAAS3tyLJcv-m0CqfMrrxUjwa9_FKscKuAKT9_L41wNuJZywM2Q(at)mail(dot)gmail(dot)com#CAAS3tyLJcv-m0CqfMrrxUjwa9_FKscKuAKT9_L41wNuJZywM2Q@mail.gmail.com

Andreas

Attachment Content-Type Size
reload-ssl-v01.patch text/x-patch 19.2 KB

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Andreas Karlsson 2015-05-31 02:22:36 Re: Fix autoconf deprecation warnings
Previous Message David Steele 2015-05-31 01:51:04 Re: [CORE] postpone next week's release