Re: [PATCH] Reload SSL certificates on SIGHUP

On 11/24/2016 08:46 AM, Michael Paquier wrote:
> On Sat, Nov 12, 2016 at 3:42 AM, Andreas Karlsson <andreas(at)proxel(dot)se> wrote:
>> On 11/11/2016 07:40 PM, Andreas Karlsson wrote:
>>> Here is a new version of the patch with the only differences;
>>>
>>> 1) The SSL tests have been changed to use reload rather than restart
>
> Did you check if the tests pass? I am getting a couple of failures
> like this one:
> psql: server certificate for "common-name.pg-ssltest.test" does not
> match host name "127.0.0.1"
> not ok 11 - sslrootcert=ssl/root+server_ca.crt sslmode=verify-full
> Attached are the logs of the run I did, and the same behavior shows
> for macOS and Linux. The shape of the tests look correct to me after
> review. Still, seeing failing tests with sslmode=verify-full is a
> problem that needs to be addressed. This may be pointing to an
> incorrect CA load handling, though I could not spot a problem when
> going through the code.

Thanks for finding this. I will look at this more once I get home, but
the tests do not fail on my computer. I wonder what I do differently.

What versions of Perl and OpenSSL do you run and how did you run the
tests when the failed? I ran the tests by running "make check" inside
"src/test/ssl".

Andreas