| From: | Bob Ross <bob(dot)ross(dot)19821(at)gmail(dot)com> |
|---|---|
| To: | Tatsuo Ishii <ishii(at)postgresql(dot)org> |
| Cc: | "pgpool-hackers(at)lists(dot)postgresql(dot)org" <pgpool-hackers(at)lists(dot)postgresql(dot)org> |
| Subject: | Rotate SSL certificates on reload (SIGHUP) without restart |
| Date: | 2026-04-02 19:57:11 |
| Message-ID: | CAHtZvrfTR=1vbry_HBg5rmWgO1O22ryjqt9tvNd5oT7NjX-vEA@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgpool-hackers |
Hi Tatsuo,
Thanks for putting together the regression tests.
Thoughts on your questions:
- CA Certificates - Yes, adding a cert auth test is highly recommended. We
could test this by generating two different dummy CA certificates. Start
pgpool trusting CA #1, swap the config to CA #2, reload and verify if
client connection correctly gets rejected.
- DH parameters - perhaps we can test this by providing a non-existent file
path and then use grep to check pgpool.log for specific warning message
(per pool_ssl.c it’s “DH: could not load DH parameters”) when pgpool tries
to load the file.
Regards,
Bob
On Wednesday, April 1, 2026, Tatsuo Ishii <ishii(at)postgresql(dot)org> wrote:
> Hi Bob,
>
> > Hi Tatsuo,
> >
> > Thanks for double-checking! Please feel free to go ahead and write the
> > regression tests if you're up for it. I'd really appreciate the help.
>
> I have written the first version of the regression test. This test
> performs:
>
> 1. Set bad value (fixed string "bad_value") to a config param and
> restart pgpool so that SSL connection does not establish between
> client and pgpool.
>
> 2. Set good value to the config and reload pgpool so that SSL
> connection establishes.
>
> The test is run against:
> ssl_cert
> ssl_ciphers
> ssl_crl_file
> ssl_ecdh_curve
> ssl_key
>
> It does not test ssl_ca_cert and ssl_ca_cert_dir because the test is
> based on 023.ssl_connection which does not check cert auth. Should we
> test cert auth as well?
>
> Also this does not test followings:
>
> - ssl_dh_params_file
> If bad value is set to the parameter, it falls back to a builtin
> value. So it is not possible to set a bad value to the parameter.
> Do you have an idea to test this?
>
> - ssl_passphrase_command
> Our cert does not require pass passphrase.
>
> - ssl_prefer_server_ciphers
> This only affects server side (backend) ciphers. The test only tests
> SSL connection between client and pgpool.
>
> Attached is the v1 patch including your patch (I have remove "-----"
> from your commit message. Otherwise the commit message cuts in the
> middle) and the test script.
> What do you think?
>
> Regards,
> --
> Tatsuo Ishii
> SRA OSS K.K.
> English: http://www.sraoss.co.jp/index_en/
> Japanese:http://www.sraoss.co.jp
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tatsuo Ishii | 2026-04-03 00:18:42 | Memory leak in a SSL module |
| Previous Message | Tatsuo Ishii | 2026-04-01 09:05:42 | Re: Rotate SSL certificates on reload (SIGHUP) without restart |