Re: Rotate SSL certificates on reload (SIGHUP) without restart

Hi Tatsuo,

Please let me know if you need any assistance with updating your test
cases. I am be happy to help.

Thanks,
Bob

On Thu, Apr 2, 2026 at 9:57 PM Bob Ross <bob(dot)ross(dot)19821(at)gmail(dot)com> wrote:

> Hi Tatsuo,
>
> Thanks for putting together the regression tests.
>
> Thoughts on your questions:
> - CA Certificates - Yes, adding a cert auth test is highly recommended. We
> could test this by generating two different dummy CA certificates. Start
> pgpool trusting CA #1, swap the config to CA #2, reload and verify if
> client connection correctly gets rejected.
> - DH parameters - perhaps we can test this by providing a non-existent
> file path and then use grep to check pgpool.log for specific warning
> message (per pool_ssl.c it’s “DH: could not load DH parameters”) when
> pgpool tries to load the file.
>
> Regards,
> Bob
>
>
> On Wednesday, April 1, 2026, Tatsuo Ishii <ishii(at)postgresql(dot)org> wrote:
>
>> Hi Bob,
>>
>> > Hi Tatsuo,
>> >
>> > Thanks for double-checking! Please feel free to go ahead and write the
>> > regression tests if you're up for it. I'd really appreciate the help.
>>
>> I have written the first version of the regression test. This test
>> performs:
>>
>> 1. Set bad value (fixed string "bad_value") to a config param and
>> restart pgpool so that SSL connection does not establish between
>> client and pgpool.
>>
>> 2. Set good value to the config and reload pgpool so that SSL
>> connection establishes.
>>
>> The test is run against:
>> ssl_cert
>> ssl_ciphers
>> ssl_crl_file
>> ssl_ecdh_curve
>> ssl_key
>>
>> It does not test ssl_ca_cert and ssl_ca_cert_dir because the test is
>> based on 023.ssl_connection which does not check cert auth. Should we
>> test cert auth as well?
>>
>> Also this does not test followings:
>>
>> - ssl_dh_params_file
>> If bad value is set to the parameter, it falls back to a builtin
>> value. So it is not possible to set a bad value to the parameter.
>> Do you have an idea to test this?
>>
>> - ssl_passphrase_command
>> Our cert does not require pass passphrase.
>>
>> - ssl_prefer_server_ciphers
>> This only affects server side (backend) ciphers. The test only tests
>> SSL connection between client and pgpool.
>>
>> Attached is the v1 patch including your patch (I have remove "-----"
>> from your commit message. Otherwise the commit message cuts in the
>> middle) and the test script.
>> What do you think?
>>
>> Regards,
>> --
>> Tatsuo Ishii
>> SRA OSS K.K.
>> English: http://www.sraoss.co.jp/index_en/
>> Japanese:http://www.sraoss.co.jp
>>
>