Re: [HACKERS] [PATCH] Reload SSL certificates on SIGHUP - Mailing list pgsql-hackers

From Stephen Frost
Subject Re: [HACKERS] [PATCH] Reload SSL certificates on SIGHUP
Date
Msg-id 20170104151850.GQ18360@tamriel.snowman.net
Whole thread Raw
In response to Re: [HACKERS] [PATCH] Reload SSL certificates on SIGHUP  (Andreas Karlsson <andreas@proxel.se>)
List pgsql-hackers
* Andreas Karlsson (andreas@proxel.se) wrote:
> On 01/04/2017 04:14 PM, Stephen Frost wrote:
> >* Andreas Karlsson (andreas@proxel.se) wrote:
> >>A possible solution might be to only add the error throwing hook
> >>when loading certificates during SIGHUP (and at Windows) and to work
> >>as before on startup. Would that be an acceptable solution? I could
> >>write a patch for this if people are interested.
> >
> >I'm not sure I see how that's a solution..?  Wouldn't that mean that a
> >SIGHUP with an encrypted key would result in a failure?
> >
> >The solution, at least in my view, seems to be to say "sorry, we can't
> >reload the SSL stuff if you used a passphrase to unlock the key on
> >startup, you will have to perform a restart if you want the SSL bits to
> >be changed."
>
> Sorry, I was very unclear. I meant refusing the reload the SSL
> context if there is a pass phrase, but that the rest of the config
> will be reloaded just fine. This will lead to some log spam on every
> SIGHUP for people with a pass phrase but should otherwise work as
> before.

Right, that sounds like it'd work for me, at least.

Thanks!

Stephen

pgsql-hackers by date:

Previous
From: Andreas Karlsson
Date:
Subject: Re: [HACKERS] [PATCH] Reload SSL certificates on SIGHUP
Next
From: Peter Eisentraut
Date:
Subject: Re: [HACKERS] [PROPOSAL] Temporal query processing with range types