MIME-Version: 1.0
References: <20260326.170716.601660341897872041.ishii@postgresql.org>
 <20260326.191902.1769703442358463290.ishii@postgresql.org>
 <CAHtZvrfap1R6+D=KsfE1iPU6_reGaPyf=m_GryEUNrNWe0KYbg@mail.gmail.com>
 <20260331.184832.554536681926821839.ishii@postgresql.org>
In-Reply-To: <20260331.184832.554536681926821839.ishii@postgresql.org>
From: Bob Ross <bob.ross.19821@gmail.com>
Date: Tue, 31 Mar 2026 11:53:55 +0200
Message-ID: 
 <CAHtZvrcEFdHnOERL6s6GmEAYe3wcNMjfY0FvT9QYcwgUquOmpw@mail.gmail.com>
Subject: Re: Rotate SSL certificates on reload (SIGHUP) without restart
To: Tatsuo Ishii <ishii@postgresql.org>
Cc: pgpool-hackers@lists.postgresql.org
Content-Type: multipart/alternative; boundary="000000000000cf9e9d064e4ef227"
Archived-At: 
 <https://www.postgresql.org/message-id/CAHtZvrcEFdHnOERL6s6GmEAYe3wcNMjfY0FvT9QYcwgUquOmpw%40mail.gmail.com>
Precedence: bulk

--000000000000cf9e9d064e4ef227
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Tatsuo,

Thanks for double-checking! Please feel free to go ahead and write the
regression tests if you're up for it. I'd really appreciate the help.

Regards,
Bob

On Tue, Mar 31, 2026 at 11:48=E2=80=AFAM Tatsuo Ishii <ishii@postgresql.org=
> wrote:

> > Hi Tatsuo,
> >
> > I believe no additional changes are needed for healthcheck and streamin=
g
> > replication check.
> >
> > My patch focuses on the frontend-accept path, where SSL_ServerSide_init=
()
> > maintains a process-wide cached SSL_frontend_context reused across
> incoming
> > TLS handshakes, and therefore must be explicitly refreshed on reload.
> >
> > In contrast, the health check (src/main/health_check.c) and the SR chec=
k
> > worker (src/streaming_replication/pool_worker_child.c) establish outgoi=
ng
> > connections to PostgreSQL backends via pool_ssl_negotiate_clientserver(=
).
> > This invokes init_ssl_ctx() for each new connection, creating a fresh
> > SSL_CTX and reading SSL-related settings (ssl_cert, ssl_key, ssl_ca_cer=
t,
> > etc.) directly from pool_config at connection time. There is no
> long-lived
> > SSL context to refresh in these processes.
> >
> > Given that the SSL configuration parameters are now marked as
> CFGCXT_RELOAD
> > in src/config/pool_config_variables.c, a SIGHUP causes both processes t=
o
> > reload pool_config via their respective reload_config() functions. As a
> > result, subsequent outgoing backend connections will naturally pick up
> the
> > updated certificate settings.
>
> Thank you for the explanation. Yes, health check and SR check worker
> establish connection to backend every time they need. I should have
> remembered that.
>
> I am going to write a regression test for this feature unless you are
> willing to work on it.
>
> Regards,
> --
> Tatsuo Ishii
> SRA OSS K.K.
> English: http://www.sraoss.co.jp/index_en/
> Japanese:http://www.sraoss.co.jp
>

--000000000000cf9e9d064e4ef227
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi Tatsuo,<br><br>Thanks for double-checking! Please feel =
free to go ahead and write the regression tests if you&#39;re up for it. I&=
#39;d really appreciate the help.<br><br>Regards,<br>Bob</div><br><div clas=
s=3D"gmail_quote gmail_quote_container"><div dir=3D"ltr" class=3D"gmail_att=
r">On Tue, Mar 31, 2026 at 11:48=E2=80=AFAM Tatsuo Ishii &lt;<a href=3D"mai=
lto:ishii@postgresql.org">ishii@postgresql.org</a>&gt; wrote:<br></div><blo=
ckquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left=
:1px solid rgb(204,204,204);padding-left:1ex">&gt; Hi Tatsuo,<br>
&gt; <br>
&gt; I believe no additional changes are needed for healthcheck and streami=
ng<br>
&gt; replication check.<br>
&gt; <br>
&gt; My patch focuses on the frontend-accept path, where SSL_ServerSide_ini=
t()<br>
&gt; maintains a process-wide cached SSL_frontend_context reused across inc=
oming<br>
&gt; TLS handshakes, and therefore must be explicitly refreshed on reload.<=
br>
&gt; <br>
&gt; In contrast, the health check (src/main/health_check.c) and the SR che=
ck<br>
&gt; worker (src/streaming_replication/pool_worker_child.c) establish outgo=
ing<br>
&gt; connections to PostgreSQL backends via pool_ssl_negotiate_clientserver=
().<br>
&gt; This invokes init_ssl_ctx() for each new connection, creating a fresh<=
br>
&gt; SSL_CTX and reading SSL-related settings (ssl_cert, ssl_key, ssl_ca_ce=
rt,<br>
&gt; etc.) directly from pool_config at connection time. There is no long-l=
ived<br>
&gt; SSL context to refresh in these processes.<br>
&gt; <br>
&gt; Given that the SSL configuration parameters are now marked as CFGCXT_R=
ELOAD<br>
&gt; in src/config/pool_config_variables.c, a SIGHUP causes both processes =
to<br>
&gt; reload pool_config via their respective reload_config() functions. As =
a<br>
&gt; result, subsequent outgoing backend connections will naturally pick up=
 the<br>
&gt; updated certificate settings.<br>
<br>
Thank you for the explanation. Yes, health check and SR check worker<br>
establish connection to backend every time they need. I should have<br>
remembered that.<br>
<br>
I am going to write a regression test for this feature unless you are<br>
willing to work on it.<br>
<br>
Regards,<br>
--<br>
Tatsuo Ishii<br>
SRA OSS K.K.<br>
English: <a href=3D"http://www.sraoss.co.jp/index_en/" rel=3D"noreferrer" t=
arget=3D"_blank">http://www.sraoss.co.jp/index_en/</a><br>
Japanese:<a href=3D"http://www.sraoss.co.jp" rel=3D"noreferrer" target=3D"_=
blank">http://www.sraoss.co.jp</a><br>
</blockquote></div>

--000000000000cf9e9d064e4ef227--