Re: Rotate SSL certificates on reload (SIGHUP) without restart

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Tatsuo Ishii <[email protected]>
To: [email protected]
Cc: [email protected]
Subject: Re: Rotate SSL certificates on reload (SIGHUP) without restart
Date: Thu, 16 Apr 2026 19:31:38 +0900 (JST)
Message-ID: <[email protected]> (raw)
In-Reply-To: <CAHtZvrdhAbVSh2yhSwk0qeHmnL+Sr0LPvjrA+2inKF6WNh7azw@mail.gmail.com>
References: <CAHtZvrcnFHgLatJQrsGH0-Tupb4vY+dZ3jiBcK5uRgJ1AbGEAg@mail.gmail.com>
	<[email protected]>
	<CAHtZvrdhAbVSh2yhSwk0qeHmnL+Sr0LPvjrA+2inKF6WNh7azw@mail.gmail.com>

Hi Bob,

Thank you for the patch!

Unfortunately after applying the patch, the test failed. From
src/test/regression/log/042.ssl_reload:

===== ssl_ca_cert swap (client cert auth reload) =====
waiting for server to start....1462289 2026-04-16 19:25:49.490 JST LOG:  redirecting log output to logging collector process
1462289 2026-04-16 19:25:49.490 JST HINT:  Future log output will appear in directory "log".
 done
server started
CA cert swap: CA1-signed client cert rejected before reload – unexpected.

From pgpool.log:

2026-04-16 19:26:10.150: child pid 1462331: DETAIL:  Protocol Major: 1234 Minor: 5679 database:  user: 
2026-04-16 19:26:10.150: child pid 1462331: DEBUG:  selecting backend connection
2026-04-16 19:26:10.150: child pid 1462331: DETAIL:  SSLRequest from client
2026-04-16 19:26:10.150: child pid 1462331: DEBUG:  pool_write: to frontend: kind:S po:0
2026-04-16 19:26:10.150: child pid 1462331: DEBUG:  pool_flush_it: flush size: 1
2026-04-16 19:26:10.167: child pid 1462331: LOG:  pool_ssl: "SSL_accept": "tlsv1 alert unknown ca"
2026-04-16 19:26:10.167: child pid 1462331: DEBUG:  unable to read data from frontend
2026-04-16 19:26:10.167: child pid 1462331: DETAIL:  socket read failed with error "Connection reset by peer"

Please let me know if you need more info.

Regards,
--
Tatsuo Ishii
SRA OSS K.K.
English: http://www.sraoss.co.jp/index_en/
Japanese:http://www.sraoss.co.jp

> Hi Tatsuo,
> 
> Please see attached v2. It adds regression coverage for SSL cert reload
> with client certificate authentication; there are no functional code
> changes.
> 
> Best regards,
> Bob
> 
> 
> On Tue, Apr 14, 2026 at 10:02 AM Tatsuo Ishii <[email protected]> wrote:
> 
>> Hi Bob,
>>
>> > Hi Tatsuo,
>> >
>> > Please let me know if you need any assistance with updating your test
>> > cases. I am be happy to help.
>> >
>> > Thanks,
>> > Bob
>>
>> Sorry for late. I was busy with personal affairs and some other
>> projects.
>>
>> > On Thu, Apr 2, 2026 at 9:57 PM Bob Ross <[email protected]>
>> wrote:
>> >
>> >> Hi Tatsuo,
>> >>
>> >> Thanks for putting together the regression tests.
>> >>
>> >> Thoughts on your questions:
>> >> - CA Certificates - Yes, adding a cert auth test is highly recommended.
>> We
>> >> could test this by generating two different dummy CA certificates. Start
>> >> pgpool trusting CA #1, swap the config to CA #2, reload and verify if
>> >> client connection correctly gets rejected.
>>
>> If you could extend the test file I posted so that it performs a cert
>> auth test, that would be helpful.
>>
>> >> - DH parameters - perhaps we can test this by providing a non-existent
>> >> file path and then use grep to check pgpool.log for specific warning
>> >> message (per pool_ssl.c it’s “DH: could not load DH parameters”) when
>> >> pgpool tries to load the file.
>>
>> I think it will not work.
>>
>> ===================================================================
>> static bool
>> initialize_dh(SSL_CTX *context)
>> {
>>         DH                 *dh = NULL;
>>
>>         SSL_CTX_set_options(context, SSL_OP_SINGLE_DH_USE);
>>
>>         if (pool_config->ssl_dh_params_file[0])
>>                 dh = load_dh_file(pool_config->ssl_dh_params_file);
>>         if (!dh)
>>                 dh = load_dh_buffer(FILE_DH2048, sizeof(FILE_DH2048));
>>         if (!dh)
>>         {
>>                 ereport(WARNING,
>>                                 (errmsg("DH: could not load DH
>> parameters")));
>>                 return false;
>>         }
>> :
>> :
>> ===================================================================
>>
>> The ereport message is printed when the built-in DH parameter file is
>> broken. But as long as the source file is fine, it would never happen.
>>
>> Maybe we should fix the code above so that it emits ereport when it
>> fails to load the DH parameter file specified by ssl_dh_params_file?
>>
>> Regards,
>> --
>> Tatsuo Ishii
>> SRA OSS K.K.
>> English: http://www.sraoss.co.jp/index_en/
>> Japanese:http://www.sraoss.co.jp
>>

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected]
  Subject: Re: Rotate SSL certificates on reload (SIGHUP) without restart
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox