Message-ID: From: "cfredri4 (@cfredri4)" To: "pgjdbc/pgjdbc" Date: Thu, 03 Jul 2025 09:03:34 +0000 Subject: Re: [pgjdbc/pgjdbc] PR #3700: Add PEMKeyManager to handle PEM based certs and keys. In-Reply-To: References: List-Id: X-GitHub-Author-Login: cfredri4 X-GitHub-Comment-Id: 3031474366 X-GitHub-Comment-Type: issue_comment X-GitHub-Issue: 3700 X-GitHub-Repo: pgjdbc/pgjdbc X-GitHub-Type: comment X-GitHub-Url: https://github.com/pgjdbc/pgjdbc/pull/3700#issuecomment-3031474366 Content-Type: text/plain; charset=utf-8 > @cfredri4 as the `getPrivateKey` method is called during the SSL Handshake, I believe the read happens during the connection establishment , and there might NOT be any reads further in the entire lifetime of connection. Correct. > Subsequent new connections anyways should create new objects of `LibPQFactory` and `KeyManagers` which will trigger reads again. You're right, I missed this part. This means that there is really no point that the existing key managers (`PKCS12KeyManager`, `LazyKeyManager`) cache the key material and only read once. > In case if a cert expires during the lifetime of a connection, probably the connection terminates and that will lead to creation of new one. Of topic, but in general this does _not_ happen in TLS; certificate expiry is checked only during handshake so any connection will remain active when the certificate expires. > So, do you think reading the material from file every time (or caching the content) cause any issues ? No real issue. I only reacted to that it was done differently from the existing key managers. For consistency maybe the existing key managers should be updated to always read from file, it would slightly simplify things.