Peter Eisentraut <peter.eisentraut@2ndquadrant.com> writes:
> On 1/4/17 10:26 AM, Tom Lane wrote:
>> How will you know whether there's a pass phrase?
> One could register a password callback that remembers whether it was called.
Hmm ... actually, we don't even need to work that hard. If we simply
use the callback that's there now, but only during reloads not server
start, then we get the desired behavior. Reloads will fail because
the wrong passphrase was returned by the callback, and we'll keep the
current SSL state. It would probably be worth tweaking things to minimize
the amount of log spam that you get from that; but it would work, for
values of "work" similar to what was there before.
I still maintain that the existing solution for passphrases is useless,
but in the interest of removing objections to the current patch, I'll
go make that happen.
regards, tom lane
