| From: | Bob Ross <bob(dot)ross(dot)19821(at)gmail(dot)com> |
|---|---|
| To: | Tatsuo Ishii <ishii(at)postgresql(dot)org> |
| Cc: | pgpool-hackers(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Rotate SSL certificates on reload (SIGHUP) without restart |
| Date: | 2026-04-15 06:36:06 |
| Message-ID: | CAHtZvrdhAbVSh2yhSwk0qeHmnL+Sr0LPvjrA+2inKF6WNh7azw@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgpool-hackers |
Hi Tatsuo,
Please see attached v2. It adds regression coverage for SSL cert reload
with client certificate authentication; there are no functional code
changes.
Best regards,
Bob
On Tue, Apr 14, 2026 at 10:02 AM Tatsuo Ishii <ishii(at)postgresql(dot)org> wrote:
> Hi Bob,
>
> > Hi Tatsuo,
> >
> > Please let me know if you need any assistance with updating your test
> > cases. I am be happy to help.
> >
> > Thanks,
> > Bob
>
> Sorry for late. I was busy with personal affairs and some other
> projects.
>
> > On Thu, Apr 2, 2026 at 9:57 PM Bob Ross <bob(dot)ross(dot)19821(at)gmail(dot)com>
> wrote:
> >
> >> Hi Tatsuo,
> >>
> >> Thanks for putting together the regression tests.
> >>
> >> Thoughts on your questions:
> >> - CA Certificates - Yes, adding a cert auth test is highly recommended.
> We
> >> could test this by generating two different dummy CA certificates. Start
> >> pgpool trusting CA #1, swap the config to CA #2, reload and verify if
> >> client connection correctly gets rejected.
>
> If you could extend the test file I posted so that it performs a cert
> auth test, that would be helpful.
>
> >> - DH parameters - perhaps we can test this by providing a non-existent
> >> file path and then use grep to check pgpool.log for specific warning
> >> message (per pool_ssl.c it’s “DH: could not load DH parameters”) when
> >> pgpool tries to load the file.
>
> I think it will not work.
>
> ===================================================================
> static bool
> initialize_dh(SSL_CTX *context)
> {
> DH *dh = NULL;
>
> SSL_CTX_set_options(context, SSL_OP_SINGLE_DH_USE);
>
> if (pool_config->ssl_dh_params_file[0])
> dh = load_dh_file(pool_config->ssl_dh_params_file);
> if (!dh)
> dh = load_dh_buffer(FILE_DH2048, sizeof(FILE_DH2048));
> if (!dh)
> {
> ereport(WARNING,
> (errmsg("DH: could not load DH
> parameters")));
> return false;
> }
> :
> :
> ===================================================================
>
> The ereport message is printed when the built-in DH parameter file is
> broken. But as long as the source file is fine, it would never happen.
>
> Maybe we should fix the code above so that it emits ereport when it
> fails to load the DH parameter file specified by ssl_dh_params_file?
>
> Regards,
> --
> Tatsuo Ishii
> SRA OSS K.K.
> English: http://www.sraoss.co.jp/index_en/
> Japanese:http://www.sraoss.co.jp
>
| Attachment | Content-Type | Size |
|---|---|---|
| v2-0001-Feature-reload-SSL-certificates-on-SIGHUP-without.patch | application/octet-stream | 26.9 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Nadav Shatz | 2026-04-15 12:17:17 | Re: Proposal: Recent mutated table tracking in memory |
| Previous Message | Koshino Taiki | 2026-04-15 02:45:18 | Re: Proposal: Add lifecheck started status to pcp_watchdog_info. |