From c97fc6e9d4acb3f5071e473db3b34577f2498d59 Mon Sep 17 00:00:00 2001 From: Tatsuo Ishii Date: Wed, 1 Apr 2026 16:43:42 +0900 Subject: [PATCH v1] Feature: reload SSL certificates on SIGHUP without restart MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Allow Pgpool-II to pick up rotated TLS certificates (and any change to SSL-related configuration) when receiving SIGHUP (i.e. systemctl reload pgpool2), matching the behavior PostgreSQL has had since PostgreSQL 12. Problem: All SSL configuration parameters (ssl_cert, ssl_key, ssl_ca_cert, ssl_ciphers, etc.) were declared CFGCXT_INIT, meaning they were silently ignored when pool_get_config() was called under CFGCXT_RELOAD. Furthermore, SSL_ServerSide_init() was only called once at startup in main.c and never again, so the in-memory SSL_CTX was never refreshed. Fix: 1. src/main/pgpool_main.c - Include utils/pool_ssl.h. - In reload_config(), call SSL_ServerSide_init() (guarded by #ifdef USE_SSL) *before* kill_all_children(SIGHUP). The function already replaces SSL_frontend_context atomically: it frees the old SSL_CTX only after a new one has been created successfully, so a failed reload leaves the existing context intact. 2. src/protocol/child.c - In check_config_reload(), call SSL_ServerSide_init() (guarded by #ifdef USE_SSL) so each worker child also refreshes its own copy of the SSL context for subsequent new connections. In-flight TLS sessions are unaffected because they hold a direct reference to the SSL object, not to SSL_frontend_context. 3. src/config/pool_config_variables.c - Change CFGCXT_INIT -> CFGCXT_RELOAD for: ssl_prefer_server_ciphers, ssl_cert, ssl_key, ssl_ca_cert, ssl_ca_cert_dir, ssl_crl_file, ssl_ciphers, ssl_ecdh_curve, ssl_dh_params_file, ssl_passphrase_command. - The 'ssl' boolean (master enable flag) is intentionally left as CFGCXT_INIT because dynamically enabling SSL at runtime is a larger, separate concern. Usage after this change: Standard in-place certificate rotation (cert-manager, ACME, manual openssl refresh at the same path): # replace /etc/pgpool/server.{crt,key} with new files systemctl reload pgpool2 # or: pgpool -f /etc/pgpool/pgpool.conf reload New connections will use the new certificates after workers process the reload signal. Existing connections are not interrupted. Switching to a different certificate path also works: update pgpool.conf then reload — the new paths are now accepted in CFGCXT_RELOAD context. Author: Bob Ross Reviewed-by: Tatsuo Ishii Discussion: https://www.postgresql.org/message-id/flat/CAHtZvrddqfbnERYY_DqgURWCjuXeTjM0y08k-ZP_B0bAHYx2ag%40mail.gmail.com --- src/config/pool_config_variables.c | 20 +- src/main/pgpool_main.c | 17 ++ src/protocol/child.c | 11 + .../regression/tests/042.ssl_reload/README | 6 + .../tests/042.ssl_reload/server.crt | 79 ++++++++ .../tests/042.ssl_reload/server.key | 27 +++ .../tests/042.ssl_reload/server.req | 61 ++++++ .../regression/tests/042.ssl_reload/test.sh | 189 ++++++++++++++++++ 8 files changed, 400 insertions(+), 10 deletions(-) create mode 100644 src/test/regression/tests/042.ssl_reload/README create mode 100644 src/test/regression/tests/042.ssl_reload/server.crt create mode 100644 src/test/regression/tests/042.ssl_reload/server.key create mode 100644 src/test/regression/tests/042.ssl_reload/server.req create mode 100755 src/test/regression/tests/042.ssl_reload/test.sh diff --git a/src/config/pool_config_variables.c b/src/config/pool_config_variables.c index ce13c42f6..ca40c341a 100644 --- a/src/config/pool_config_variables.c +++ b/src/config/pool_config_variables.c @@ -705,7 +705,7 @@ static struct config_bool ConfigureNamesBool[] = }, { - {"ssl_prefer_server_ciphers", CFGCXT_INIT, SSL_CONFIG, + {"ssl_prefer_server_ciphers", CFGCXT_RELOAD, SSL_CONFIG, "Use server's SSL cipher preferences, rather than the client's", CONFIG_VAR_TYPE_BOOL, false, 0 }, @@ -1271,7 +1271,7 @@ static struct config_string ConfigureNamesString[] = }, { - {"ssl_cert", CFGCXT_INIT, SSL_CONFIG, + {"ssl_cert", CFGCXT_RELOAD, SSL_CONFIG, "SSL public certificate file.", CONFIG_VAR_TYPE_STRING, false, 0 }, @@ -1281,7 +1281,7 @@ static struct config_string ConfigureNamesString[] = }, { - {"ssl_key", CFGCXT_INIT, SSL_CONFIG, + {"ssl_key", CFGCXT_RELOAD, SSL_CONFIG, "SSL private key file.", CONFIG_VAR_TYPE_STRING, false, 0 }, @@ -1291,7 +1291,7 @@ static struct config_string ConfigureNamesString[] = }, { - {"ssl_ca_cert", CFGCXT_INIT, SSL_CONFIG, + {"ssl_ca_cert", CFGCXT_RELOAD, SSL_CONFIG, "Single PEM format file containing CA root certificate(s).", CONFIG_VAR_TYPE_STRING, false, 0 }, @@ -1301,7 +1301,7 @@ static struct config_string ConfigureNamesString[] = }, { - {"ssl_ca_cert_dir", CFGCXT_INIT, SSL_CONFIG, + {"ssl_ca_cert_dir", CFGCXT_RELOAD, SSL_CONFIG, "Directory containing CA root certificate(s).", CONFIG_VAR_TYPE_STRING, false, 0 }, @@ -1311,7 +1311,7 @@ static struct config_string ConfigureNamesString[] = }, { - {"ssl_crl_file", CFGCXT_INIT, SSL_CONFIG, + {"ssl_crl_file", CFGCXT_RELOAD, SSL_CONFIG, "SSL certificate revocation list file", CONFIG_VAR_TYPE_STRING, false, 0 }, @@ -1321,7 +1321,7 @@ static struct config_string ConfigureNamesString[] = }, { - {"ssl_ciphers", CFGCXT_INIT, SSL_CONFIG, + {"ssl_ciphers", CFGCXT_RELOAD, SSL_CONFIG, "Allowed SSL ciphers.", CONFIG_VAR_TYPE_STRING, false, 0 }, @@ -1331,7 +1331,7 @@ static struct config_string ConfigureNamesString[] = }, { - {"ssl_ecdh_curve", CFGCXT_INIT, SSL_CONFIG, + {"ssl_ecdh_curve", CFGCXT_RELOAD, SSL_CONFIG, "The curve to use in ECDH key exchange.", CONFIG_VAR_TYPE_STRING, false, 0 }, @@ -1341,7 +1341,7 @@ static struct config_string ConfigureNamesString[] = }, { - {"ssl_dh_params_file", CFGCXT_INIT, SSL_CONFIG, + {"ssl_dh_params_file", CFGCXT_RELOAD, SSL_CONFIG, "Path to the Diffie-Hellman parameters contained file", CONFIG_VAR_TYPE_STRING, false, 0 }, @@ -1351,7 +1351,7 @@ static struct config_string ConfigureNamesString[] = }, { - {"ssl_passphrase_command", CFGCXT_INIT, SSL_CONFIG, + {"ssl_passphrase_command", CFGCXT_RELOAD, SSL_CONFIG, "Path to the Diffie-Hellman parameters contained file", CONFIG_VAR_TYPE_STRING, false, 0 }, diff --git a/src/main/pgpool_main.c b/src/main/pgpool_main.c index bf7c452e2..0a9c92826 100644 --- a/src/main/pgpool_main.c +++ b/src/main/pgpool_main.c @@ -61,6 +61,7 @@ #include "watchdog/wd_lifecheck.h" #include "watchdog/watchdog.h" #include "pcp/pcp_worker.h" +#include "utils/pool_ssl.h" #include /* @@ -3489,6 +3490,22 @@ reload_config(void) if (pool_config->enable_pool_hba) load_hba(hba_file); +#ifdef USE_SSL + /* + * If SSL is enabled, re-initialize the SSL context so that new + * connections pick up rotated certificates without requiring a restart. + * SSL_ServerSide_init() is safe to call repeatedly: it frees and replaces + * the existing SSL_CTX only on success, leaving the old context intact on + * failure. + */ + if (pool_config->ssl) + { + ereport(LOG, + (errmsg("reload SSL certificates."))); + SSL_ServerSide_init(); + } +#endif /* USE_SSL */ + kill_all_children(SIGHUP); } diff --git a/src/protocol/child.c b/src/protocol/child.c index c34f05728..713bfe28f 100644 --- a/src/protocol/child.c +++ b/src/protocol/child.c @@ -1796,6 +1796,17 @@ check_config_reload(void) if (strcmp("", pool_config->pool_passwd)) pool_reopen_passwd_file(); +#ifdef USE_SSL + /* + * Re-initialize the frontend SSL context so this child process + * serves new connections with any rotated certificates without a + * restart. In-flight TLS sessions are unaffected; they hold a + * direct reference to the old SSL object. + */ + if (pool_config->ssl) + SSL_ServerSide_init(); +#endif /* USE_SSL */ + got_sighup = 0; } } diff --git a/src/test/regression/tests/042.ssl_reload/README b/src/test/regression/tests/042.ssl_reload/README new file mode 100644 index 000000000..c73cf0bd3 --- /dev/null +++ b/src/test/regression/tests/042.ssl_reload/README @@ -0,0 +1,6 @@ +The sample server.key and server.crt was created by using following commands: + +openssl req -new -text -out server.req +openssl rsa -in privkey.pem -out server.key +rm privkey.pem +openssl req -x509 -days 3650 -in server.req -text -key server.key -out server.crt diff --git a/src/test/regression/tests/042.ssl_reload/server.crt b/src/test/regression/tests/042.ssl_reload/server.crt new file mode 100644 index 000000000..90d5e08e7 --- /dev/null +++ b/src/test/regression/tests/042.ssl_reload/server.crt @@ -0,0 +1,79 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + f4:86:4a:aa:50:42:63:dc + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd + Validity + Not Before: Aug 29 02:52:36 2018 GMT + Not After : Aug 26 02:52:36 2028 GMT + Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:f4:e3:30:f0:09:e2:43:0e:a1:67:2e:3b:ef:b5: + 88:1e:4e:a9:06:fa:f2:94:8b:fa:4f:0a:9f:e0:57: + 45:95:2c:c1:18:1d:21:6d:c8:5c:2a:05:94:0b:c6: + 49:c5:97:88:ac:88:ba:73:fb:81:28:eb:e1:cd:7f: + 9d:fb:e0:c5:0d:ef:35:cc:12:b8:74:0b:a1:e9:65: + d4:19:38:9b:a8:e1:c5:ef:d5:f1:9c:cf:8a:de:bf: + fa:d7:6c:f9:d7:85:10:db:9f:e9:03:e9:7e:f1:81: + de:9d:f3:b3:a3:6f:19:31:c8:bb:31:c0:e7:7d:ea: + 6b:02:98:21:7c:c2:f5:9d:0d:7c:85:2b:5d:81:7c: + 71:74:42:89:ab:5c:31:ac:19:fd:c2:0b:fb:e5:c2: + b2:54:15:64:40:9c:bf:ed:d2:b1:bb:75:f9:e9:d8: + 67:b3:4e:63:c4:3e:f4:8a:2c:87:50:27:dd:22:97: + f1:f7:26:49:87:03:55:08:a4:d2:44:21:e1:9a:33: + 82:96:09:b3:08:65:bc:a8:3a:f4:64:f3:60:62:d0: + 98:d9:82:0c:1b:be:b6:9c:22:e8:7f:e6:eb:20:d9: + 71:67:2c:d5:14:83:aa:f1:37:75:98:4c:68:1d:95: + fe:1f:ec:cb:9b:17:9c:f4:92:22:da:bb:78:46:f3: + de:7d + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Subject Key Identifier: + 68:ED:A7:FE:1E:36:26:18:80:2B:C6:A2:07:23:1C:A4:00:57:16:68 + X509v3 Authority Key Identifier: + keyid:68:ED:A7:FE:1E:36:26:18:80:2B:C6:A2:07:23:1C:A4:00:57:16:68 + + X509v3 Basic Constraints: critical + CA:TRUE + Signature Algorithm: sha256WithRSAEncryption + dd:61:62:83:6e:fa:e8:8a:1b:02:c6:9f:7f:f3:52:f8:04:5c: + c9:35:f9:4c:1d:4f:0f:9f:6c:a2:18:95:f0:76:93:e5:99:58: + 4a:88:7a:54:68:cf:28:64:8e:01:3f:fb:7e:28:6f:ad:c6:08: + a2:09:77:4c:13:4b:1d:68:70:38:91:d4:dc:f7:c3:c8:81:36: + 48:b9:01:46:f9:fa:e8:f7:ba:fe:23:4c:e3:27:a9:58:2d:a6: + 3d:88:ac:b8:71:9b:84:ec:bd:82:c4:45:1d:ba:77:ed:73:54: + a9:16:76:80:40:0b:80:42:47:60:84:cf:41:e0:0f:8e:85:d3: + 28:36:fb:f6:8c:f8:c6:20:b3:c4:06:cc:2d:6d:37:78:b4:d5: + 4d:14:db:f0:04:56:66:d8:5a:cc:ff:bd:0c:19:6d:39:bf:26: + ac:17:0c:91:a4:68:4b:bc:86:4f:0a:10:81:b5:ac:1e:a6:78: + b1:7f:e9:f3:9e:1b:32:92:b2:8f:f7:e2:a3:ae:44:e2:99:b0: + 04:0a:15:eb:7a:37:10:b2:7b:ef:35:6c:a5:db:13:96:42:e9: + 22:3c:72:6a:34:16:0d:b5:2c:49:f3:83:c7:ff:da:ec:57:14: + ab:0d:8d:76:8f:f0:a2:21:4f:88:54:bc:2f:c6:b9:7b:8c:da: + 42:9a:b1:12 +-----BEGIN CERTIFICATE----- +MIIDYDCCAkigAwIBAgIJAPSGSqpQQmPcMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV +BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX +aWRnaXRzIFB0eSBMdGQwHhcNMTgwODI5MDI1MjM2WhcNMjgwODI2MDI1MjM2WjBF +MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50 +ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEA9OMw8AniQw6hZy4777WIHk6pBvrylIv6Twqf4FdFlSzBGB0hbchcKgWU +C8ZJxZeIrIi6c/uBKOvhzX+d++DFDe81zBK4dAuh6WXUGTibqOHF79XxnM+K3r/6 +12z514UQ25/pA+l+8YHenfOzo28ZMci7McDnfeprApghfML1nQ18hStdgXxxdEKJ +q1wxrBn9wgv75cKyVBVkQJy/7dKxu3X56dhns05jxD70iiyHUCfdIpfx9yZJhwNV +CKTSRCHhmjOClgmzCGW8qDr0ZPNgYtCY2YIMG762nCLof+brINlxZyzVFIOq8Td1 +mExoHZX+H+zLmxec9JIi2rt4RvPefQIDAQABo1MwUTAdBgNVHQ4EFgQUaO2n/h42 +JhiAK8aiByMcpABXFmgwHwYDVR0jBBgwFoAUaO2n/h42JhiAK8aiByMcpABXFmgw +DwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEA3WFig2766IobAsaf +f/NS+ARcyTX5TB1PD59sohiV8HaT5ZlYSoh6VGjPKGSOAT/7fihvrcYIogl3TBNL +HWhwOJHU3PfDyIE2SLkBRvn66Pe6/iNM4yepWC2mPYisuHGbhOy9gsRFHbp37XNU +qRZ2gEALgEJHYITPQeAPjoXTKDb79oz4xiCzxAbMLW03eLTVTRTb8ARWZthazP+9 +DBltOb8mrBcMkaRoS7yGTwoQgbWsHqZ4sX/p854bMpKyj/fio65E4pmwBAoV63o3 +ELJ77zVspdsTlkLpIjxyajQWDbUsSfODx//a7FcUqw2Ndo/woiFPiFS8L8a5e4za +QpqxEg== +-----END CERTIFICATE----- diff --git a/src/test/regression/tests/042.ssl_reload/server.key b/src/test/regression/tests/042.ssl_reload/server.key new file mode 100644 index 000000000..0ddd69303 --- /dev/null +++ b/src/test/regression/tests/042.ssl_reload/server.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEA9OMw8AniQw6hZy4777WIHk6pBvrylIv6Twqf4FdFlSzBGB0h +bchcKgWUC8ZJxZeIrIi6c/uBKOvhzX+d++DFDe81zBK4dAuh6WXUGTibqOHF79Xx +nM+K3r/612z514UQ25/pA+l+8YHenfOzo28ZMci7McDnfeprApghfML1nQ18hStd +gXxxdEKJq1wxrBn9wgv75cKyVBVkQJy/7dKxu3X56dhns05jxD70iiyHUCfdIpfx +9yZJhwNVCKTSRCHhmjOClgmzCGW8qDr0ZPNgYtCY2YIMG762nCLof+brINlxZyzV +FIOq8Td1mExoHZX+H+zLmxec9JIi2rt4RvPefQIDAQABAoIBAD6EfaraKxxJcOUh +hYWlx3FNTZONnz5TGfzxzmz8erQhr84TKcSYIQdNU0VKQu0hyW+anFcdvxSOW6AV +02RJNqVfC1Hk+ZgOnDA0odgqfnq34MtgyATrax2Az24N0R63Rt16zocEJjdLm2Sh +oZu4sirmfvutrquTm+wWoH30W7XTCrd17thq8+5VBumXLW4sr40PWXcfPC1Od7JH +utYZ0lGxr89fhuPpnpLw7V67EdslwmYl8avhzrUlzkXPqufZ33XdWFi/IXoNjMZ2 +MFgZFNKHv682nqjrrodyn4iXEzMSj4z4QLTNxoH79HWvCb2HjUpEWTNrfdu3LNCZ +FahqHmECgYEA/5MmEEB2GNlhaMP+NMK/3x9RCfDfleqEdExf0KA6TuISNYUgeEeB +dfczCN8WtxyDMor6fvwINxEAHX64/CompE/ya+Z25VdBQMcLpNVGS01aDdrqWN5B +4qG8OyK3+eAjCnvyCzWsvvpK1I5u65q6+Q+Cw1wQaxYzhsZkEazQ0OkCgYEA9Ut9 +m74RMGudjkvJK7JIPLDLGEsko+yrh8IuoGn/wLpUJwmkZFQu8HRqdddMVjwQi4CN +IDScbvyH0uE2yN+gg/BB0eBIyhfrI3xl6FJIQBnI0/7wmb2U82OT0LS18h9n8dAK ++mONcR3zL7XDe8xy1qTS0jjd1QT1QS4YLGPCxHUCgYEAowftCgT00NkqaDhOWr24 +w84oVd0P44QcRkvJ+z2atGNGFln74n5KuUOdjJUy2lAX6Q/6xzJi0y3HEwmZW1JQ +IBTXobj8M0Q73eSbKuTZ2INZZOk3AMWW5ckiV97H2V//OlrihgARWCo1ve22GBk2 +GFaqpZB+8LDS4bCAeT3yXrECgYEA5rZ3USonLry5d2JOt5u7F+JNU+8xakErYMhC +ZLzuQY6/oewOxBLuB1nn3CiBc0aRZTSnCFiTnkxFUBJmHe9AIXiz37wtmm9+yWSy +0R27ORdHbiYGlQPcekP5fr7Jtw7VDHraKIHEQlWiKwix8dntVXe3luTHuRktuH2r +XO0D/xUCgYEAlQtXyGSl/taUjKyfvfxlFDtpOwBAwUj2CsNzeUd2/5aWkqUrtYz8 +JNCPgSLPKDhLpavH0vUEmftF3uDVPxvMQ4JG9MQ7meHgL7AZmtKdU0VI+Av9xiJe +d7A1x6o88gv1TqvGRit2qRxNOT0mzhDcXuR2EIQqUav45NyBokSo9xw= +-----END RSA PRIVATE KEY----- diff --git a/src/test/regression/tests/042.ssl_reload/server.req b/src/test/regression/tests/042.ssl_reload/server.req new file mode 100644 index 000000000..fdfd5235d --- /dev/null +++ b/src/test/regression/tests/042.ssl_reload/server.req @@ -0,0 +1,61 @@ +Certificate Request: + Data: + Version: 1 (0x0) + Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:f4:e3:30:f0:09:e2:43:0e:a1:67:2e:3b:ef:b5: + 88:1e:4e:a9:06:fa:f2:94:8b:fa:4f:0a:9f:e0:57: + 45:95:2c:c1:18:1d:21:6d:c8:5c:2a:05:94:0b:c6: + 49:c5:97:88:ac:88:ba:73:fb:81:28:eb:e1:cd:7f: + 9d:fb:e0:c5:0d:ef:35:cc:12:b8:74:0b:a1:e9:65: + d4:19:38:9b:a8:e1:c5:ef:d5:f1:9c:cf:8a:de:bf: + fa:d7:6c:f9:d7:85:10:db:9f:e9:03:e9:7e:f1:81: + de:9d:f3:b3:a3:6f:19:31:c8:bb:31:c0:e7:7d:ea: + 6b:02:98:21:7c:c2:f5:9d:0d:7c:85:2b:5d:81:7c: + 71:74:42:89:ab:5c:31:ac:19:fd:c2:0b:fb:e5:c2: + b2:54:15:64:40:9c:bf:ed:d2:b1:bb:75:f9:e9:d8: + 67:b3:4e:63:c4:3e:f4:8a:2c:87:50:27:dd:22:97: + f1:f7:26:49:87:03:55:08:a4:d2:44:21:e1:9a:33: + 82:96:09:b3:08:65:bc:a8:3a:f4:64:f3:60:62:d0: + 98:d9:82:0c:1b:be:b6:9c:22:e8:7f:e6:eb:20:d9: + 71:67:2c:d5:14:83:aa:f1:37:75:98:4c:68:1d:95: + fe:1f:ec:cb:9b:17:9c:f4:92:22:da:bb:78:46:f3: + de:7d + Exponent: 65537 (0x10001) + Attributes: + a0:00 + Signature Algorithm: sha256WithRSAEncryption + 7a:30:69:6c:aa:30:6f:f3:bc:dc:85:78:04:ef:f6:0c:b2:04: + e7:03:55:fd:4a:98:74:d6:fd:24:a1:e9:e8:3d:e3:a1:b0:dc: + 12:b9:1f:38:fe:9e:42:5a:0c:06:b8:0c:f6:65:0b:78:95:73: + 27:31:14:e5:4d:4f:e2:82:3f:52:24:45:ba:31:e7:87:b7:c8: + b9:8a:db:5f:5e:fd:1a:f2:6c:7d:d6:d1:1d:19:77:5e:10:51: + d3:24:7f:5a:7d:3f:eb:db:33:0b:27:97:72:b9:f0:ea:89:79: + ca:b7:23:7c:c0:8a:e9:11:30:45:99:09:58:da:08:86:28:32: + 21:c0:3f:2e:87:3e:a4:96:55:f1:65:72:4f:06:0b:b3:a1:97: + 7d:54:6c:0d:96:b4:41:11:6e:28:45:cb:16:d7:1e:70:1e:a8: + a2:4e:7f:65:8e:71:e9:05:e2:ad:cc:9a:79:1d:73:39:e8:f0: + e8:f3:75:ab:bf:9d:44:7b:b7:76:3f:0d:50:e0:9c:ef:2c:d5: + eb:c3:0d:4f:c1:77:af:56:7e:78:db:e8:a0:52:05:f6:49:89: + ab:c0:ff:d6:97:9d:9d:84:14:12:73:ee:31:1d:12:ad:e7:91: + 8d:ac:ff:ee:8d:18:07:be:c8:ec:57:9d:78:41:9c:1e:a1:75: + 2b:99:f7:70 +-----BEGIN CERTIFICATE REQUEST----- +MIICijCCAXICAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx +ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAPTjMPAJ4kMOoWcuO++1iB5OqQb68pSL+k8Kn+BX +RZUswRgdIW3IXCoFlAvGScWXiKyIunP7gSjr4c1/nfvgxQ3vNcwSuHQLoell1Bk4 +m6jhxe/V8ZzPit6/+tds+deFENuf6QPpfvGB3p3zs6NvGTHIuzHA533qawKYIXzC +9Z0NfIUrXYF8cXRCiatcMawZ/cIL++XCslQVZECcv+3Ssbt1+enYZ7NOY8Q+9Ios +h1An3SKX8fcmSYcDVQik0kQh4ZozgpYJswhlvKg69GTzYGLQmNmCDBu+tpwi6H/m +6yDZcWcs1RSDqvE3dZhMaB2V/h/sy5sXnPSSItq7eEbz3n0CAwEAAaAAMA0GCSqG +SIb3DQEBCwUAA4IBAQB6MGlsqjBv87zchXgE7/YMsgTnA1X9Sph01v0koenoPeOh +sNwSuR84/p5CWgwGuAz2ZQt4lXMnMRTlTU/igj9SJEW6MeeHt8i5ittfXv0a8mx9 +1tEdGXdeEFHTJH9afT/r2zMLJ5dyufDqiXnKtyN8wIrpETBFmQlY2giGKDIhwD8u +hz6kllXxZXJPBguzoZd9VGwNlrRBEW4oRcsW1x5wHqiiTn9ljnHpBeKtzJp5HXM5 +6PDo83Wrv51Ee7d2Pw1Q4JzvLNXrww1PwXevVn542+igUgX2SYmrwP/Wl52dhBQS +c+4xHRKt55GNrP/ujRgHvsjsV514QZweoXUrmfdw +-----END CERTIFICATE REQUEST----- diff --git a/src/test/regression/tests/042.ssl_reload/test.sh b/src/test/regression/tests/042.ssl_reload/test.sh new file mode 100755 index 000000000..302216878 --- /dev/null +++ b/src/test/regression/tests/042.ssl_reload/test.sh @@ -0,0 +1,189 @@ +#!/usr/bin/env bash +#------------------------------------------------------------------- +# test script for SSL connection upon reloading for: frontend <--> Pgpool-II and Pgpool-II and PostgreSQL. +# +source $TESTLIBS +TESTDIR=testdir +PSQL=$PGBIN/psql +PG_CTL=$PGBIN/pg_ctl +export PGDATABASE=test +SSL_KEY=server.key +SSL_CRT=server.crt + +#------------------------------------------- +# Check psql output for \conninfo to see if SSL enabled +#------------------------------------------- +function check_ssl { + $PSQL -h localhost test < result +\conninfo +\q +EOF + + # PostgreSQL 18 or later prints tablular output for \conninfo. + # For SSL, "SSL Connection | true (or false)" + if [ $PGVERSION -ge 18 ];then + grep "SSL Connection" result|grep true + else + grep SSL result + fi +} + +# --------------------------------------------------------------- +# Test ssl configuration param. +# params: +# $1: configuration name. e.g. ssl_cert +# $2: good value for the config +# +# This performs following tests: +# 1. Set bad value to the config and restart pgpool to make sure SSL connection does not establish. +# 2. Set good value to the config and reload to make sure SSL connection establishes. +# If test fails, exit with status 1 +function test_ssl { + # set bad value + echo "$1 = 'bad_value'" >> etc/pgpool.conf + # restart pgpool + ./startall + wait_for_pgpool_startup + check_ssl + if [ $? = 0 ];then + echo "Checking SSL connection between frontend and Pgpool-II succeeded despite bad config value for $1" + ./shutdownall + exit 1 + fi + echo "Checking SSL connection between frontend and Pgpool-II failed due to bad config value for $1 as expected." + + # Make sure that SSL connection succeeds with good config value + echo "$1 = '$2'" >> etc/pgpool.conf + ./pgpool_reload + sleep 1 + check_ssl + if [ $? = 0 ];then + echo "Checking SSL connection between frontend and Pgpool-II succeeded with good $1" + else + echo "Checking SSL connection between frontend and Pgpool-II failed with good $1" + ./shutdownall + exit 1 + fi + ./shutdownall +} + +# main script starts here +rm -fr $TESTDIR +mkdir $TESTDIR +cd $TESTDIR + +# create test environment. Number of backend node is 1 is enough. +echo -n "creating test environment..." +$PGPOOL_SETUP -m s -n 1 || exit 1 +echo "done." + +# setup SSL key and crt file +cp -p ../$SSL_KEY etc/ +chmod og-rwx etc/$SSL_KEY +cp -p ../$SSL_CRT etc/ +cp -p ../$SSL_KEY data0/ +chmod og-rwx data0/$SSL_KEY +cp -p ../$SSL_CRT data0/ + +# enable SSL support +dir=`pwd` + +echo "ssl = on" >> etc/pgpool.conf +echo "ssl_key = '$SSL_KEY'" >> etc/pgpool.conf +echo "ssl_cert = '$SSL_CRT'" >> etc/pgpool.conf +echo "ssl_prefer_server_ciphers = on" >> etc/pgpool.conf +echo "ssl_ciphers = 'EECDH:HIGH:MEDIUM:+3DES:!aNULL'" >> etc/pgpool.conf + +echo "ssl = on" >> data0/postgresql.conf +echo "ssl_cert_file = '$SSL_CRT'" >> data0/postgresql.conf +echo "ssl_key_file = '$SSL_KEY'" >> data0/postgresql.conf + +# backend must be connected via TCP/IP +echo "backend_hostname0 = 'localhost'" >> etc/pgpool.conf + +# produce debug message since the only way to confirm the SSL +# connections is being established is, look into the debug log. +echo "log_min_messages = debug5" >> etc/pgpool.conf + +# allow to access IPv6 localhost +echo "host all all ::1/128 trust" >> data0/pg_hba.conf + +source ./bashrc.ports + +./startall + +export PGPORT=$PGPOOL_PORT + +wait_for_pgpool_startup + +# first, checking frontend<-->Pgpool-II... +check_ssl +if [ $? != 0 ];then + echo "Checking SSL connection between frontend and Pgpool-II failed." + ./shutdownall + exit 1 +fi +echo "Checking SSL connection between frontend and Pgpool-II was ok." + +if [ $PGVERSION -ge 18 ];then + grep "SSL Protocol" result|grep TLSv1.2 +else + grep SSL result |grep TLSv1.2 +fi + +# if SSl protocol version TLSv1.2 +if [ $? = 0 ];then + grep SSL result |grep ECDH + + if [ $? != 0 ];then + echo "Checking SSL connection with ECDH between frontend and Pgpool-II failed." + ./shutdownall + exit 1 + fi + echo "Checking SSL connection with ECDH between frontend and Pgpool-II was ok." +fi + +grep "client->server SSL response: S" log/pgpool.log >/dev/null +if [ $? != 0 ];then + echo "Checking SSL connection between Pgpool-II and backend failed." + ./shutdownall + exit 1 +fi +echo "Checking SSL connection between Pgpool-II and backend was ok." + +# So far SSL connection between clients and Pgpool-II, Pgpool-II and backend are ok. + +./shutdownall + +# --------------------------------------------------------------- +# Test SSL params + +config_names[0]=ssl_cert +config_names[1]=ssl_ciphers +config_names[2]=ssl_crl_file +config_names[3]=ssl_dh_params_file # ssl_dh_params_file can be a invalid file (fallback mechanism) +config_names[4]=ssl_ecdh_curve +config_names[5]=ssl_key +config_names[6]=ssl_passphrase_command # cert does not require pass passphrase +config_names[7]=ssl_prefer_server_ciphers # this affects server side ciphers + +good_values[0]=server.crt +good_values[1]=HIGH:MEDIUM:+3DES:!aNULL +good_values[2]="" +good_values[3]=skip +good_values[4]=prime256v1 +good_values[5]=server.key +good_values[6]=skip +good_values[7]=skip + +for i in {0..7} +do + echo "===== ${config_names[$i]} =====" + if [ "${good_values[$i]}" = "skip" ];then + echo "skip this test" + else + test_ssl ${config_names[$i]} ${good_values[$i]} + fi +done +./shutdownall +exit 0 -- 2.43.0