public inbox for [email protected]
help / color / mirror / Atom feedFrom: Tatsuo Ishii <[email protected]>
To: [email protected]
Cc: [email protected]
Subject: Re: Rotate SSL certificates on reload (SIGHUP) without restart
Date: Wed, 01 Apr 2026 18:05:42 +0900 (JST)
Message-ID: <[email protected]> (raw)
In-Reply-To: <CAHtZvrcEFdHnOERL6s6GmEAYe3wcNMjfY0FvT9QYcwgUquOmpw@mail.gmail.com>
References: <CAHtZvrfap1R6+D=KsfE1iPU6_reGaPyf=m_GryEUNrNWe0KYbg@mail.gmail.com>
<[email protected]>
<CAHtZvrcEFdHnOERL6s6GmEAYe3wcNMjfY0FvT9QYcwgUquOmpw@mail.gmail.com>
Hi Bob,
> Hi Tatsuo,
>
> Thanks for double-checking! Please feel free to go ahead and write the
> regression tests if you're up for it. I'd really appreciate the help.
I have written the first version of the regression test. This test
performs:
1. Set bad value (fixed string "bad_value") to a config param and
restart pgpool so that SSL connection does not establish between
client and pgpool.
2. Set good value to the config and reload pgpool so that SSL
connection establishes.
The test is run against:
ssl_cert
ssl_ciphers
ssl_crl_file
ssl_ecdh_curve
ssl_key
It does not test ssl_ca_cert and ssl_ca_cert_dir because the test is
based on 023.ssl_connection which does not check cert auth. Should we
test cert auth as well?
Also this does not test followings:
- ssl_dh_params_file
If bad value is set to the parameter, it falls back to a builtin
value. So it is not possible to set a bad value to the parameter.
Do you have an idea to test this?
- ssl_passphrase_command
Our cert does not require pass passphrase.
- ssl_prefer_server_ciphers
This only affects server side (backend) ciphers. The test only tests
SSL connection between client and pgpool.
Attached is the v1 patch including your patch (I have remove "-----"
from your commit message. Otherwise the commit message cuts in the
middle) and the test script.
What do you think?
Regards,
--
Tatsuo Ishii
SRA OSS K.K.
English: http://www.sraoss.co.jp/index_en/
Japanese:http://www.sraoss.co.jp
Attachments:
[application/octet-stream] v1-0001-Feature-reload-SSL-certificates-on-SIGHUP-without.patch (24.3K, 2-v1-0001-Feature-reload-SSL-certificates-on-SIGHUP-without.patch)
download | inline diff:
From c97fc6e9d4acb3f5071e473db3b34577f2498d59 Mon Sep 17 00:00:00 2001
From: Tatsuo Ishii <[email protected]>
Date: Wed, 1 Apr 2026 16:43:42 +0900
Subject: [PATCH v1] Feature: reload SSL certificates on SIGHUP without restart
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Allow Pgpool-II to pick up rotated TLS certificates (and any change to
SSL-related configuration) when receiving SIGHUP (i.e. systemctl reload
pgpool2), matching the behavior PostgreSQL has had since PostgreSQL 12.
Problem:
All SSL configuration parameters (ssl_cert, ssl_key, ssl_ca_cert,
ssl_ciphers, etc.) were declared CFGCXT_INIT, meaning they were silently
ignored when pool_get_config() was called under CFGCXT_RELOAD.
Furthermore, SSL_ServerSide_init() was only called once at startup in
main.c and never again, so the in-memory SSL_CTX was never refreshed.
Fix:
1. src/main/pgpool_main.c
- Include utils/pool_ssl.h.
- In reload_config(), call SSL_ServerSide_init() (guarded by
#ifdef USE_SSL) *before* kill_all_children(SIGHUP). The function
already replaces SSL_frontend_context atomically: it frees the old
SSL_CTX only after a new one has been created successfully, so a
failed reload leaves the existing context intact.
2. src/protocol/child.c
- In check_config_reload(), call SSL_ServerSide_init() (guarded by
#ifdef USE_SSL) so each worker child also refreshes its own copy of
the SSL context for subsequent new connections. In-flight TLS
sessions are unaffected because they hold a direct reference to the
SSL object, not to SSL_frontend_context.
3. src/config/pool_config_variables.c
- Change CFGCXT_INIT -> CFGCXT_RELOAD for:
ssl_prefer_server_ciphers, ssl_cert, ssl_key, ssl_ca_cert,
ssl_ca_cert_dir, ssl_crl_file, ssl_ciphers, ssl_ecdh_curve,
ssl_dh_params_file, ssl_passphrase_command.
- The 'ssl' boolean (master enable flag) is intentionally left as
CFGCXT_INIT because dynamically enabling SSL at runtime is a
larger, separate concern.
Usage after this change:
Standard in-place certificate rotation (cert-manager, ACME, manual
openssl refresh at the same path):
# replace /etc/pgpool/server.{crt,key} with new files
systemctl reload pgpool2
# or: pgpool -f /etc/pgpool/pgpool.conf reload
New connections will use the new certificates after workers process
the reload signal. Existing connections are not interrupted.
Switching to a different certificate path also works: update
pgpool.conf then reload — the new paths are now accepted in
CFGCXT_RELOAD context.
Author: Bob Ross <[email protected]>
Reviewed-by: Tatsuo Ishii <[email protected]>
Discussion: https://www.postgresql.org/message-id/flat/CAHtZvrddqfbnERYY_DqgURWCjuXeTjM0y08k-ZP_B0bAHYx2ag%40mail.gmail.com
---
src/config/pool_config_variables.c | 20 +-
src/main/pgpool_main.c | 17 ++
src/protocol/child.c | 11 +
.../regression/tests/042.ssl_reload/README | 6 +
.../tests/042.ssl_reload/server.crt | 79 ++++++++
.../tests/042.ssl_reload/server.key | 27 +++
.../tests/042.ssl_reload/server.req | 61 ++++++
.../regression/tests/042.ssl_reload/test.sh | 189 ++++++++++++++++++
8 files changed, 400 insertions(+), 10 deletions(-)
create mode 100644 src/test/regression/tests/042.ssl_reload/README
create mode 100644 src/test/regression/tests/042.ssl_reload/server.crt
create mode 100644 src/test/regression/tests/042.ssl_reload/server.key
create mode 100644 src/test/regression/tests/042.ssl_reload/server.req
create mode 100755 src/test/regression/tests/042.ssl_reload/test.sh
diff --git a/src/config/pool_config_variables.c b/src/config/pool_config_variables.c
index ce13c42f6..ca40c341a 100644
--- a/src/config/pool_config_variables.c
+++ b/src/config/pool_config_variables.c
@@ -705,7 +705,7 @@ static struct config_bool ConfigureNamesBool[] =
},
{
- {"ssl_prefer_server_ciphers", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_prefer_server_ciphers", CFGCXT_RELOAD, SSL_CONFIG,
"Use server's SSL cipher preferences, rather than the client's",
CONFIG_VAR_TYPE_BOOL, false, 0
},
@@ -1271,7 +1271,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_cert", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_cert", CFGCXT_RELOAD, SSL_CONFIG,
"SSL public certificate file.",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1281,7 +1281,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_key", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_key", CFGCXT_RELOAD, SSL_CONFIG,
"SSL private key file.",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1291,7 +1291,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_ca_cert", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_ca_cert", CFGCXT_RELOAD, SSL_CONFIG,
"Single PEM format file containing CA root certificate(s).",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1301,7 +1301,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_ca_cert_dir", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_ca_cert_dir", CFGCXT_RELOAD, SSL_CONFIG,
"Directory containing CA root certificate(s).",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1311,7 +1311,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_crl_file", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_crl_file", CFGCXT_RELOAD, SSL_CONFIG,
"SSL certificate revocation list file",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1321,7 +1321,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_ciphers", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_ciphers", CFGCXT_RELOAD, SSL_CONFIG,
"Allowed SSL ciphers.",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1331,7 +1331,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_ecdh_curve", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_ecdh_curve", CFGCXT_RELOAD, SSL_CONFIG,
"The curve to use in ECDH key exchange.",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1341,7 +1341,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_dh_params_file", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_dh_params_file", CFGCXT_RELOAD, SSL_CONFIG,
"Path to the Diffie-Hellman parameters contained file",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1351,7 +1351,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_passphrase_command", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_passphrase_command", CFGCXT_RELOAD, SSL_CONFIG,
"Path to the Diffie-Hellman parameters contained file",
CONFIG_VAR_TYPE_STRING, false, 0
},
diff --git a/src/main/pgpool_main.c b/src/main/pgpool_main.c
index bf7c452e2..0a9c92826 100644
--- a/src/main/pgpool_main.c
+++ b/src/main/pgpool_main.c
@@ -61,6 +61,7 @@
#include "watchdog/wd_lifecheck.h"
#include "watchdog/watchdog.h"
#include "pcp/pcp_worker.h"
+#include "utils/pool_ssl.h"
#include <grp.h>
/*
@@ -3489,6 +3490,22 @@ reload_config(void)
if (pool_config->enable_pool_hba)
load_hba(hba_file);
+#ifdef USE_SSL
+ /*
+ * If SSL is enabled, re-initialize the SSL context so that new
+ * connections pick up rotated certificates without requiring a restart.
+ * SSL_ServerSide_init() is safe to call repeatedly: it frees and replaces
+ * the existing SSL_CTX only on success, leaving the old context intact on
+ * failure.
+ */
+ if (pool_config->ssl)
+ {
+ ereport(LOG,
+ (errmsg("reload SSL certificates.")));
+ SSL_ServerSide_init();
+ }
+#endif /* USE_SSL */
+
kill_all_children(SIGHUP);
}
diff --git a/src/protocol/child.c b/src/protocol/child.c
index c34f05728..713bfe28f 100644
--- a/src/protocol/child.c
+++ b/src/protocol/child.c
@@ -1796,6 +1796,17 @@ check_config_reload(void)
if (strcmp("", pool_config->pool_passwd))
pool_reopen_passwd_file();
+#ifdef USE_SSL
+ /*
+ * Re-initialize the frontend SSL context so this child process
+ * serves new connections with any rotated certificates without a
+ * restart. In-flight TLS sessions are unaffected; they hold a
+ * direct reference to the old SSL object.
+ */
+ if (pool_config->ssl)
+ SSL_ServerSide_init();
+#endif /* USE_SSL */
+
got_sighup = 0;
}
}
diff --git a/src/test/regression/tests/042.ssl_reload/README b/src/test/regression/tests/042.ssl_reload/README
new file mode 100644
index 000000000..c73cf0bd3
--- /dev/null
+++ b/src/test/regression/tests/042.ssl_reload/README
@@ -0,0 +1,6 @@
+The sample server.key and server.crt was created by using following commands:
+
+openssl req -new -text -out server.req
+openssl rsa -in privkey.pem -out server.key
+rm privkey.pem
+openssl req -x509 -days 3650 -in server.req -text -key server.key -out server.crt
diff --git a/src/test/regression/tests/042.ssl_reload/server.crt b/src/test/regression/tests/042.ssl_reload/server.crt
new file mode 100644
index 000000000..90d5e08e7
--- /dev/null
+++ b/src/test/regression/tests/042.ssl_reload/server.crt
@@ -0,0 +1,79 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ f4:86:4a:aa:50:42:63:dc
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
+ Validity
+ Not Before: Aug 29 02:52:36 2018 GMT
+ Not After : Aug 26 02:52:36 2028 GMT
+ Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:f4:e3:30:f0:09:e2:43:0e:a1:67:2e:3b:ef:b5:
+ 88:1e:4e:a9:06:fa:f2:94:8b:fa:4f:0a:9f:e0:57:
+ 45:95:2c:c1:18:1d:21:6d:c8:5c:2a:05:94:0b:c6:
+ 49:c5:97:88:ac:88:ba:73:fb:81:28:eb:e1:cd:7f:
+ 9d:fb:e0:c5:0d:ef:35:cc:12:b8:74:0b:a1:e9:65:
+ d4:19:38:9b:a8:e1:c5:ef:d5:f1:9c:cf:8a:de:bf:
+ fa:d7:6c:f9:d7:85:10:db:9f:e9:03:e9:7e:f1:81:
+ de:9d:f3:b3:a3:6f:19:31:c8:bb:31:c0:e7:7d:ea:
+ 6b:02:98:21:7c:c2:f5:9d:0d:7c:85:2b:5d:81:7c:
+ 71:74:42:89:ab:5c:31:ac:19:fd:c2:0b:fb:e5:c2:
+ b2:54:15:64:40:9c:bf:ed:d2:b1:bb:75:f9:e9:d8:
+ 67:b3:4e:63:c4:3e:f4:8a:2c:87:50:27:dd:22:97:
+ f1:f7:26:49:87:03:55:08:a4:d2:44:21:e1:9a:33:
+ 82:96:09:b3:08:65:bc:a8:3a:f4:64:f3:60:62:d0:
+ 98:d9:82:0c:1b:be:b6:9c:22:e8:7f:e6:eb:20:d9:
+ 71:67:2c:d5:14:83:aa:f1:37:75:98:4c:68:1d:95:
+ fe:1f:ec:cb:9b:17:9c:f4:92:22:da:bb:78:46:f3:
+ de:7d
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Key Identifier:
+ 68:ED:A7:FE:1E:36:26:18:80:2B:C6:A2:07:23:1C:A4:00:57:16:68
+ X509v3 Authority Key Identifier:
+ keyid:68:ED:A7:FE:1E:36:26:18:80:2B:C6:A2:07:23:1C:A4:00:57:16:68
+
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ Signature Algorithm: sha256WithRSAEncryption
+ dd:61:62:83:6e:fa:e8:8a:1b:02:c6:9f:7f:f3:52:f8:04:5c:
+ c9:35:f9:4c:1d:4f:0f:9f:6c:a2:18:95:f0:76:93:e5:99:58:
+ 4a:88:7a:54:68:cf:28:64:8e:01:3f:fb:7e:28:6f:ad:c6:08:
+ a2:09:77:4c:13:4b:1d:68:70:38:91:d4:dc:f7:c3:c8:81:36:
+ 48:b9:01:46:f9:fa:e8:f7:ba:fe:23:4c:e3:27:a9:58:2d:a6:
+ 3d:88:ac:b8:71:9b:84:ec:bd:82:c4:45:1d:ba:77:ed:73:54:
+ a9:16:76:80:40:0b:80:42:47:60:84:cf:41:e0:0f:8e:85:d3:
+ 28:36:fb:f6:8c:f8:c6:20:b3:c4:06:cc:2d:6d:37:78:b4:d5:
+ 4d:14:db:f0:04:56:66:d8:5a:cc:ff:bd:0c:19:6d:39:bf:26:
+ ac:17:0c:91:a4:68:4b:bc:86:4f:0a:10:81:b5:ac:1e:a6:78:
+ b1:7f:e9:f3:9e:1b:32:92:b2:8f:f7:e2:a3:ae:44:e2:99:b0:
+ 04:0a:15:eb:7a:37:10:b2:7b:ef:35:6c:a5:db:13:96:42:e9:
+ 22:3c:72:6a:34:16:0d:b5:2c:49:f3:83:c7:ff:da:ec:57:14:
+ ab:0d:8d:76:8f:f0:a2:21:4f:88:54:bc:2f:c6:b9:7b:8c:da:
+ 42:9a:b1:12
+-----BEGIN CERTIFICATE-----
+MIIDYDCCAkigAwIBAgIJAPSGSqpQQmPcMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQwHhcNMTgwODI5MDI1MjM2WhcNMjgwODI2MDI1MjM2WjBF
+MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
+ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEA9OMw8AniQw6hZy4777WIHk6pBvrylIv6Twqf4FdFlSzBGB0hbchcKgWU
+C8ZJxZeIrIi6c/uBKOvhzX+d++DFDe81zBK4dAuh6WXUGTibqOHF79XxnM+K3r/6
+12z514UQ25/pA+l+8YHenfOzo28ZMci7McDnfeprApghfML1nQ18hStdgXxxdEKJ
+q1wxrBn9wgv75cKyVBVkQJy/7dKxu3X56dhns05jxD70iiyHUCfdIpfx9yZJhwNV
+CKTSRCHhmjOClgmzCGW8qDr0ZPNgYtCY2YIMG762nCLof+brINlxZyzVFIOq8Td1
+mExoHZX+H+zLmxec9JIi2rt4RvPefQIDAQABo1MwUTAdBgNVHQ4EFgQUaO2n/h42
+JhiAK8aiByMcpABXFmgwHwYDVR0jBBgwFoAUaO2n/h42JhiAK8aiByMcpABXFmgw
+DwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEA3WFig2766IobAsaf
+f/NS+ARcyTX5TB1PD59sohiV8HaT5ZlYSoh6VGjPKGSOAT/7fihvrcYIogl3TBNL
+HWhwOJHU3PfDyIE2SLkBRvn66Pe6/iNM4yepWC2mPYisuHGbhOy9gsRFHbp37XNU
+qRZ2gEALgEJHYITPQeAPjoXTKDb79oz4xiCzxAbMLW03eLTVTRTb8ARWZthazP+9
+DBltOb8mrBcMkaRoS7yGTwoQgbWsHqZ4sX/p854bMpKyj/fio65E4pmwBAoV63o3
+ELJ77zVspdsTlkLpIjxyajQWDbUsSfODx//a7FcUqw2Ndo/woiFPiFS8L8a5e4za
+QpqxEg==
+-----END CERTIFICATE-----
diff --git a/src/test/regression/tests/042.ssl_reload/server.key b/src/test/regression/tests/042.ssl_reload/server.key
new file mode 100644
index 000000000..0ddd69303
--- /dev/null
+++ b/src/test/regression/tests/042.ssl_reload/server.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA9OMw8AniQw6hZy4777WIHk6pBvrylIv6Twqf4FdFlSzBGB0h
+bchcKgWUC8ZJxZeIrIi6c/uBKOvhzX+d++DFDe81zBK4dAuh6WXUGTibqOHF79Xx
+nM+K3r/612z514UQ25/pA+l+8YHenfOzo28ZMci7McDnfeprApghfML1nQ18hStd
+gXxxdEKJq1wxrBn9wgv75cKyVBVkQJy/7dKxu3X56dhns05jxD70iiyHUCfdIpfx
+9yZJhwNVCKTSRCHhmjOClgmzCGW8qDr0ZPNgYtCY2YIMG762nCLof+brINlxZyzV
+FIOq8Td1mExoHZX+H+zLmxec9JIi2rt4RvPefQIDAQABAoIBAD6EfaraKxxJcOUh
+hYWlx3FNTZONnz5TGfzxzmz8erQhr84TKcSYIQdNU0VKQu0hyW+anFcdvxSOW6AV
+02RJNqVfC1Hk+ZgOnDA0odgqfnq34MtgyATrax2Az24N0R63Rt16zocEJjdLm2Sh
+oZu4sirmfvutrquTm+wWoH30W7XTCrd17thq8+5VBumXLW4sr40PWXcfPC1Od7JH
+utYZ0lGxr89fhuPpnpLw7V67EdslwmYl8avhzrUlzkXPqufZ33XdWFi/IXoNjMZ2
+MFgZFNKHv682nqjrrodyn4iXEzMSj4z4QLTNxoH79HWvCb2HjUpEWTNrfdu3LNCZ
+FahqHmECgYEA/5MmEEB2GNlhaMP+NMK/3x9RCfDfleqEdExf0KA6TuISNYUgeEeB
+dfczCN8WtxyDMor6fvwINxEAHX64/CompE/ya+Z25VdBQMcLpNVGS01aDdrqWN5B
+4qG8OyK3+eAjCnvyCzWsvvpK1I5u65q6+Q+Cw1wQaxYzhsZkEazQ0OkCgYEA9Ut9
+m74RMGudjkvJK7JIPLDLGEsko+yrh8IuoGn/wLpUJwmkZFQu8HRqdddMVjwQi4CN
+IDScbvyH0uE2yN+gg/BB0eBIyhfrI3xl6FJIQBnI0/7wmb2U82OT0LS18h9n8dAK
++mONcR3zL7XDe8xy1qTS0jjd1QT1QS4YLGPCxHUCgYEAowftCgT00NkqaDhOWr24
+w84oVd0P44QcRkvJ+z2atGNGFln74n5KuUOdjJUy2lAX6Q/6xzJi0y3HEwmZW1JQ
+IBTXobj8M0Q73eSbKuTZ2INZZOk3AMWW5ckiV97H2V//OlrihgARWCo1ve22GBk2
+GFaqpZB+8LDS4bCAeT3yXrECgYEA5rZ3USonLry5d2JOt5u7F+JNU+8xakErYMhC
+ZLzuQY6/oewOxBLuB1nn3CiBc0aRZTSnCFiTnkxFUBJmHe9AIXiz37wtmm9+yWSy
+0R27ORdHbiYGlQPcekP5fr7Jtw7VDHraKIHEQlWiKwix8dntVXe3luTHuRktuH2r
+XO0D/xUCgYEAlQtXyGSl/taUjKyfvfxlFDtpOwBAwUj2CsNzeUd2/5aWkqUrtYz8
+JNCPgSLPKDhLpavH0vUEmftF3uDVPxvMQ4JG9MQ7meHgL7AZmtKdU0VI+Av9xiJe
+d7A1x6o88gv1TqvGRit2qRxNOT0mzhDcXuR2EIQqUav45NyBokSo9xw=
+-----END RSA PRIVATE KEY-----
diff --git a/src/test/regression/tests/042.ssl_reload/server.req b/src/test/regression/tests/042.ssl_reload/server.req
new file mode 100644
index 000000000..fdfd5235d
--- /dev/null
+++ b/src/test/regression/tests/042.ssl_reload/server.req
@@ -0,0 +1,61 @@
+Certificate Request:
+ Data:
+ Version: 1 (0x0)
+ Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:f4:e3:30:f0:09:e2:43:0e:a1:67:2e:3b:ef:b5:
+ 88:1e:4e:a9:06:fa:f2:94:8b:fa:4f:0a:9f:e0:57:
+ 45:95:2c:c1:18:1d:21:6d:c8:5c:2a:05:94:0b:c6:
+ 49:c5:97:88:ac:88:ba:73:fb:81:28:eb:e1:cd:7f:
+ 9d:fb:e0:c5:0d:ef:35:cc:12:b8:74:0b:a1:e9:65:
+ d4:19:38:9b:a8:e1:c5:ef:d5:f1:9c:cf:8a:de:bf:
+ fa:d7:6c:f9:d7:85:10:db:9f:e9:03:e9:7e:f1:81:
+ de:9d:f3:b3:a3:6f:19:31:c8:bb:31:c0:e7:7d:ea:
+ 6b:02:98:21:7c:c2:f5:9d:0d:7c:85:2b:5d:81:7c:
+ 71:74:42:89:ab:5c:31:ac:19:fd:c2:0b:fb:e5:c2:
+ b2:54:15:64:40:9c:bf:ed:d2:b1:bb:75:f9:e9:d8:
+ 67:b3:4e:63:c4:3e:f4:8a:2c:87:50:27:dd:22:97:
+ f1:f7:26:49:87:03:55:08:a4:d2:44:21:e1:9a:33:
+ 82:96:09:b3:08:65:bc:a8:3a:f4:64:f3:60:62:d0:
+ 98:d9:82:0c:1b:be:b6:9c:22:e8:7f:e6:eb:20:d9:
+ 71:67:2c:d5:14:83:aa:f1:37:75:98:4c:68:1d:95:
+ fe:1f:ec:cb:9b:17:9c:f4:92:22:da:bb:78:46:f3:
+ de:7d
+ Exponent: 65537 (0x10001)
+ Attributes:
+ a0:00
+ Signature Algorithm: sha256WithRSAEncryption
+ 7a:30:69:6c:aa:30:6f:f3:bc:dc:85:78:04:ef:f6:0c:b2:04:
+ e7:03:55:fd:4a:98:74:d6:fd:24:a1:e9:e8:3d:e3:a1:b0:dc:
+ 12:b9:1f:38:fe:9e:42:5a:0c:06:b8:0c:f6:65:0b:78:95:73:
+ 27:31:14:e5:4d:4f:e2:82:3f:52:24:45:ba:31:e7:87:b7:c8:
+ b9:8a:db:5f:5e:fd:1a:f2:6c:7d:d6:d1:1d:19:77:5e:10:51:
+ d3:24:7f:5a:7d:3f:eb:db:33:0b:27:97:72:b9:f0:ea:89:79:
+ ca:b7:23:7c:c0:8a:e9:11:30:45:99:09:58:da:08:86:28:32:
+ 21:c0:3f:2e:87:3e:a4:96:55:f1:65:72:4f:06:0b:b3:a1:97:
+ 7d:54:6c:0d:96:b4:41:11:6e:28:45:cb:16:d7:1e:70:1e:a8:
+ a2:4e:7f:65:8e:71:e9:05:e2:ad:cc:9a:79:1d:73:39:e8:f0:
+ e8:f3:75:ab:bf:9d:44:7b:b7:76:3f:0d:50:e0:9c:ef:2c:d5:
+ eb:c3:0d:4f:c1:77:af:56:7e:78:db:e8:a0:52:05:f6:49:89:
+ ab:c0:ff:d6:97:9d:9d:84:14:12:73:ee:31:1d:12:ad:e7:91:
+ 8d:ac:ff:ee:8d:18:07:be:c8:ec:57:9d:78:41:9c:1e:a1:75:
+ 2b:99:f7:70
+-----BEGIN CERTIFICATE REQUEST-----
+MIICijCCAXICAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
+ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAPTjMPAJ4kMOoWcuO++1iB5OqQb68pSL+k8Kn+BX
+RZUswRgdIW3IXCoFlAvGScWXiKyIunP7gSjr4c1/nfvgxQ3vNcwSuHQLoell1Bk4
+m6jhxe/V8ZzPit6/+tds+deFENuf6QPpfvGB3p3zs6NvGTHIuzHA533qawKYIXzC
+9Z0NfIUrXYF8cXRCiatcMawZ/cIL++XCslQVZECcv+3Ssbt1+enYZ7NOY8Q+9Ios
+h1An3SKX8fcmSYcDVQik0kQh4ZozgpYJswhlvKg69GTzYGLQmNmCDBu+tpwi6H/m
+6yDZcWcs1RSDqvE3dZhMaB2V/h/sy5sXnPSSItq7eEbz3n0CAwEAAaAAMA0GCSqG
+SIb3DQEBCwUAA4IBAQB6MGlsqjBv87zchXgE7/YMsgTnA1X9Sph01v0koenoPeOh
+sNwSuR84/p5CWgwGuAz2ZQt4lXMnMRTlTU/igj9SJEW6MeeHt8i5ittfXv0a8mx9
+1tEdGXdeEFHTJH9afT/r2zMLJ5dyufDqiXnKtyN8wIrpETBFmQlY2giGKDIhwD8u
+hz6kllXxZXJPBguzoZd9VGwNlrRBEW4oRcsW1x5wHqiiTn9ljnHpBeKtzJp5HXM5
+6PDo83Wrv51Ee7d2Pw1Q4JzvLNXrww1PwXevVn542+igUgX2SYmrwP/Wl52dhBQS
+c+4xHRKt55GNrP/ujRgHvsjsV514QZweoXUrmfdw
+-----END CERTIFICATE REQUEST-----
diff --git a/src/test/regression/tests/042.ssl_reload/test.sh b/src/test/regression/tests/042.ssl_reload/test.sh
new file mode 100755
index 000000000..302216878
--- /dev/null
+++ b/src/test/regression/tests/042.ssl_reload/test.sh
@@ -0,0 +1,189 @@
+#!/usr/bin/env bash
+#-------------------------------------------------------------------
+# test script for SSL connection upon reloading for: frontend <--> Pgpool-II and Pgpool-II and PostgreSQL.
+#
+source $TESTLIBS
+TESTDIR=testdir
+PSQL=$PGBIN/psql
+PG_CTL=$PGBIN/pg_ctl
+export PGDATABASE=test
+SSL_KEY=server.key
+SSL_CRT=server.crt
+
+#-------------------------------------------
+# Check psql output for \conninfo to see if SSL enabled
+#-------------------------------------------
+function check_ssl {
+ $PSQL -h localhost test <<EOF > result
+\conninfo
+\q
+EOF
+
+ # PostgreSQL 18 or later prints tablular output for \conninfo.
+ # For SSL, "SSL Connection | true (or false)"
+ if [ $PGVERSION -ge 18 ];then
+ grep "SSL Connection" result|grep true
+ else
+ grep SSL result
+ fi
+}
+
+# ---------------------------------------------------------------
+# Test ssl configuration param.
+# params:
+# $1: configuration name. e.g. ssl_cert
+# $2: good value for the config
+#
+# This performs following tests:
+# 1. Set bad value to the config and restart pgpool to make sure SSL connection does not establish.
+# 2. Set good value to the config and reload to make sure SSL connection establishes.
+# If test fails, exit with status 1
+function test_ssl {
+ # set bad value
+ echo "$1 = 'bad_value'" >> etc/pgpool.conf
+ # restart pgpool
+ ./startall
+ wait_for_pgpool_startup
+ check_ssl
+ if [ $? = 0 ];then
+ echo "Checking SSL connection between frontend and Pgpool-II succeeded despite bad config value for $1"
+ ./shutdownall
+ exit 1
+ fi
+ echo "Checking SSL connection between frontend and Pgpool-II failed due to bad config value for $1 as expected."
+
+ # Make sure that SSL connection succeeds with good config value
+ echo "$1 = '$2'" >> etc/pgpool.conf
+ ./pgpool_reload
+ sleep 1
+ check_ssl
+ if [ $? = 0 ];then
+ echo "Checking SSL connection between frontend and Pgpool-II succeeded with good $1"
+ else
+ echo "Checking SSL connection between frontend and Pgpool-II failed with good $1"
+ ./shutdownall
+ exit 1
+ fi
+ ./shutdownall
+}
+
+# main script starts here
+rm -fr $TESTDIR
+mkdir $TESTDIR
+cd $TESTDIR
+
+# create test environment. Number of backend node is 1 is enough.
+echo -n "creating test environment..."
+$PGPOOL_SETUP -m s -n 1 || exit 1
+echo "done."
+
+# setup SSL key and crt file
+cp -p ../$SSL_KEY etc/
+chmod og-rwx etc/$SSL_KEY
+cp -p ../$SSL_CRT etc/
+cp -p ../$SSL_KEY data0/
+chmod og-rwx data0/$SSL_KEY
+cp -p ../$SSL_CRT data0/
+
+# enable SSL support
+dir=`pwd`
+
+echo "ssl = on" >> etc/pgpool.conf
+echo "ssl_key = '$SSL_KEY'" >> etc/pgpool.conf
+echo "ssl_cert = '$SSL_CRT'" >> etc/pgpool.conf
+echo "ssl_prefer_server_ciphers = on" >> etc/pgpool.conf
+echo "ssl_ciphers = 'EECDH:HIGH:MEDIUM:+3DES:!aNULL'" >> etc/pgpool.conf
+
+echo "ssl = on" >> data0/postgresql.conf
+echo "ssl_cert_file = '$SSL_CRT'" >> data0/postgresql.conf
+echo "ssl_key_file = '$SSL_KEY'" >> data0/postgresql.conf
+
+# backend must be connected via TCP/IP
+echo "backend_hostname0 = 'localhost'" >> etc/pgpool.conf
+
+# produce debug message since the only way to confirm the SSL
+# connections is being established is, look into the debug log.
+echo "log_min_messages = debug5" >> etc/pgpool.conf
+
+# allow to access IPv6 localhost
+echo "host all all ::1/128 trust" >> data0/pg_hba.conf
+
+source ./bashrc.ports
+
+./startall
+
+export PGPORT=$PGPOOL_PORT
+
+wait_for_pgpool_startup
+
+# first, checking frontend<-->Pgpool-II...
+check_ssl
+if [ $? != 0 ];then
+ echo "Checking SSL connection between frontend and Pgpool-II failed."
+ ./shutdownall
+ exit 1
+fi
+echo "Checking SSL connection between frontend and Pgpool-II was ok."
+
+if [ $PGVERSION -ge 18 ];then
+ grep "SSL Protocol" result|grep TLSv1.2
+else
+ grep SSL result |grep TLSv1.2
+fi
+
+# if SSl protocol version TLSv1.2
+if [ $? = 0 ];then
+ grep SSL result |grep ECDH
+
+ if [ $? != 0 ];then
+ echo "Checking SSL connection with ECDH between frontend and Pgpool-II failed."
+ ./shutdownall
+ exit 1
+ fi
+ echo "Checking SSL connection with ECDH between frontend and Pgpool-II was ok."
+fi
+
+grep "client->server SSL response: S" log/pgpool.log >/dev/null
+if [ $? != 0 ];then
+ echo "Checking SSL connection between Pgpool-II and backend failed."
+ ./shutdownall
+ exit 1
+fi
+echo "Checking SSL connection between Pgpool-II and backend was ok."
+
+# So far SSL connection between clients and Pgpool-II, Pgpool-II and backend are ok.
+
+./shutdownall
+
+# ---------------------------------------------------------------
+# Test SSL params
+
+config_names[0]=ssl_cert
+config_names[1]=ssl_ciphers
+config_names[2]=ssl_crl_file
+config_names[3]=ssl_dh_params_file # ssl_dh_params_file can be a invalid file (fallback mechanism)
+config_names[4]=ssl_ecdh_curve
+config_names[5]=ssl_key
+config_names[6]=ssl_passphrase_command # cert does not require pass passphrase
+config_names[7]=ssl_prefer_server_ciphers # this affects server side ciphers
+
+good_values[0]=server.crt
+good_values[1]=HIGH:MEDIUM:+3DES:!aNULL
+good_values[2]=""
+good_values[3]=skip
+good_values[4]=prime256v1
+good_values[5]=server.key
+good_values[6]=skip
+good_values[7]=skip
+
+for i in {0..7}
+do
+ echo "===== ${config_names[$i]} ====="
+ if [ "${good_values[$i]}" = "skip" ];then
+ echo "skip this test"
+ else
+ test_ssl ${config_names[$i]} ${good_values[$i]}
+ fi
+done
+./shutdownall
+exit 0
--
2.43.0
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: Rotate SSL certificates on reload (SIGHUP) without restart
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox