public inbox for [email protected]
help / color / mirror / Atom feedFrom: Tatsuo Ishii <[email protected]>
To: [email protected]
Cc: [email protected]
Subject: Re: Rotate SSL certificates on reload (SIGHUP) without restart
Date: Tue, 14 Apr 2026 17:01:51 +0900 (JST)
Message-ID: <[email protected]> (raw)
In-Reply-To: <CAHtZvrcnFHgLatJQrsGH0-Tupb4vY+dZ3jiBcK5uRgJ1AbGEAg@mail.gmail.com>
References: <[email protected]>
<CAHtZvrfTR=1vbry_HBg5rmWgO1O22ryjqt9tvNd5oT7NjX-vEA@mail.gmail.com>
<CAHtZvrcnFHgLatJQrsGH0-Tupb4vY+dZ3jiBcK5uRgJ1AbGEAg@mail.gmail.com>
Hi Bob,
> Hi Tatsuo,
>
> Please let me know if you need any assistance with updating your test
> cases. I am be happy to help.
>
> Thanks,
> Bob
Sorry for late. I was busy with personal affairs and some other
projects.
> On Thu, Apr 2, 2026 at 9:57 PM Bob Ross <[email protected]> wrote:
>
>> Hi Tatsuo,
>>
>> Thanks for putting together the regression tests.
>>
>> Thoughts on your questions:
>> - CA Certificates - Yes, adding a cert auth test is highly recommended. We
>> could test this by generating two different dummy CA certificates. Start
>> pgpool trusting CA #1, swap the config to CA #2, reload and verify if
>> client connection correctly gets rejected.
If you could extend the test file I posted so that it performs a cert
auth test, that would be helpful.
>> - DH parameters - perhaps we can test this by providing a non-existent
>> file path and then use grep to check pgpool.log for specific warning
>> message (per pool_ssl.c it’s “DH: could not load DH parameters”) when
>> pgpool tries to load the file.
I think it will not work.
===================================================================
static bool
initialize_dh(SSL_CTX *context)
{
DH *dh = NULL;
SSL_CTX_set_options(context, SSL_OP_SINGLE_DH_USE);
if (pool_config->ssl_dh_params_file[0])
dh = load_dh_file(pool_config->ssl_dh_params_file);
if (!dh)
dh = load_dh_buffer(FILE_DH2048, sizeof(FILE_DH2048));
if (!dh)
{
ereport(WARNING,
(errmsg("DH: could not load DH parameters")));
return false;
}
:
:
===================================================================
The ereport message is printed when the built-in DH parameter file is
broken. But as long as the source file is fine, it would never happen.
Maybe we should fix the code above so that it emits ereport when it
fails to load the DH parameter file specified by ssl_dh_params_file?
Regards,
--
Tatsuo Ishii
SRA OSS K.K.
English: http://www.sraoss.co.jp/index_en/
Japanese:http://www.sraoss.co.jp
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: Rotate SSL certificates on reload (SIGHUP) without restart
In-Reply-To: <[email protected]>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox