Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wCBj8-001kIO-0e for pgpool-hackers@arkaria.postgresql.org; Mon, 13 Apr 2026 07:28:58 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wCBj6-005Klr-23 for pgpool-hackers@arkaria.postgresql.org; Mon, 13 Apr 2026 07:28:57 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wCBj6-005Klj-16 for pgpool-hackers@lists.postgresql.org; Mon, 13 Apr 2026 07:28:57 +0000 Received: from mail-ed1-x535.google.com ([2a00:1450:4864:20::535]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1wCBj4-00000000lA6-0inO for pgpool-hackers@lists.postgresql.org; Mon, 13 Apr 2026 07:28:56 +0000 Received: by mail-ed1-x535.google.com with SMTP id 4fb4d7f45d1cf-66f8f556f39so5412071a12.0 for ; Mon, 13 Apr 2026 00:28:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1776065333; cv=none; d=google.com; s=arc-20240605; b=MptYc1OLzJ0fJMDh7lMxobOPCYVrJmJAtWXi2afeLxPAI48hrONfioBJhlve2t6YT4 BRqKanjMQ7ZRgIMs2MkJf8t/9LoI0U51pTxICJBeLgYM7E/hwctw5ipxoY0J02aN4r8O 2E6/8WPo9BP5ZhAt7KeiCahjY0+Mm30klpaHJ3R8F13rVY24239ddnVhrN3zVd8GWmp/ 1zjXzJ0RjmxM3SZI37jGUrn9TGlPe1YmXIHNn0oOYJFevMlmzqKAkVqj5cr6HKN4J7Ot tOeuw8+c1p0mBVF9n+dzMrsfgJOWafai0VxdPsyZ94Jp8fkrX1MW+qDyLzXA9xUiHV+B wipA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=+iv6yaqYDFkuzY4BxQyRHmcTAgQn+YoCGp5dgRWk+/E=; fh=ezhJnRV8pHRdUaCIYchx+Ef2bTm8AeXwuFPXRypV9eM=; b=kbsj6BgRi20HO7XtRdLe+JCAtJyFWpFDrc2e2L5Dpia6T4VPm1vIEeKfHco02YfJaZ ygdFU7PEz7EXLT7i84Je2bDlpDRmbsQ5yFmyhrVcrsHioZRBlisCY2Y7F+8UqP1cJKR4 HsN8jfIYGo9recYRIASKftsELxz6zNGo7Teb/1xvf0kBafFBqbh2uYUt5bmsNnv1gXRb JnCLRxSyrOjzRPnq3oVrSLUxUnYKEVT3tO5ZHH6IowNBicW4S6hY+VOPNhPmnMTrmLiu RHX9KRK9bTWXL5G/5PKqJFkuh8DLeBp8gjc7eYgXMMOVPXUmlMzS0V0TXrGaPPpGsiyR Kk+Q==; darn=lists.postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776065333; x=1776670133; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=+iv6yaqYDFkuzY4BxQyRHmcTAgQn+YoCGp5dgRWk+/E=; b=jB26DsRwgejARqKKHP6Q2k9mj0xphFSv0dikUzPFip+h7WxQkqPlVGJpUqAeOHwnM3 IfZ+DKkU1HOvmK/TDC1tR7VNV0tMxrOy0Q2eF8BRp8F/1XraXqklEROWYS9ANz+afKts 3lgpnefL/E6FR9MQzOFV3koxnM3Cp8Shuv1Ixq5pUVdxb8m3/C2VpsQmN4Jq9DUjsrpm YuMu2tVm3aLvBKYGTWe5vpAsQiiWvrxTvyf6eINBG37aYFQ/0j+2ng4yxFL8w9AdLPit kYEQxclGJ18TK8Y8YvR9NJjtBmSPqtYbKRZlDY6GNBJah4444imgSFMmkY6mXt857Yb3 tJWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776065333; x=1776670133; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=+iv6yaqYDFkuzY4BxQyRHmcTAgQn+YoCGp5dgRWk+/E=; b=g5ChnLDiXI3TScB7XmShmSr1nBzYH3HVYpOXpxIpErJacCucV+03N+KXPUnCS2v5+o 57CfdyaWEdTDH5jfP2Un4z8a3p0jUPqOM4g1ED/WlDLoHN4HB8vQ6IWFmMyjFqdVokIg VO8vYlmmuCfxA0frb8zXevTmuhhDFSmz9+nQqUzEYJ3evhNFZP351+s3JhHlcJ9QRTzE l+XLLk2NWUpFyqIy66qnV8OK9YjDEV/GdJ91Jec2B6yGTU4qs1GLkxWeV4zKi312fw/V JkaukgyuxKafz+PgVamF5hHMAW4A0G8RKzDPqkOSvwgdLYWZr6qs1u8QcePXAf6+Mv0c k4wA== X-Gm-Message-State: AOJu0YyHlucv/5Yo7sFunZyX26BHl452IPLzNsvESE2cxT6h2DkXjRmk BgnRhTg1BBZjrOzY8zpAhpHBW6Bfr1XkMFgi/9ZfPZj27R37sc53hLfd2As6SJJG/qDxsfHHx+g 0O1jqLz1jqo8W/8MbHYZRaiwL8muLGSYAmP1j X-Gm-Gg: AeBDiet9XF8JvfzuZCyz79UIJQ+MU9SrN1E2R+JrBBZtnVtCvIKBxwuhFQIeYB2VyhJ vl8x4TQyLpz/KOyj6qdbrB1eV8FUg/WTboOEI/PlFXktN/WRm2+IU8OB9WNzQrIMTAiNk2lympX 4OK1UO/2E1uAWKIHXz2AlOpZfRD03bW7UoHZc2woIlhzY1YsLlobQP+im19aC2zP4l2TB4nNn9N Ou4k19U++cbPLpDJe6lvbxlq/TQZmPArN8NINjDEGTkkoPDt5j9fTFZ3hizQKDaP8N2K60qUmpU K9XpbunjCi/euAUu X-Received: by 2002:a17:907:ca2a:b0:b8f:e98b:4952 with SMTP id a640c23a62f3a-b9d729bd5a9mr461724566b.41.1776065332862; Mon, 13 Apr 2026 00:28:52 -0700 (PDT) MIME-Version: 1.0 References: <20260331.184832.554536681926821839.ishii@postgresql.org> <20260401.180542.2251969369195681939.ishii@postgresql.org> In-Reply-To: From: Bob Ross Date: Mon, 13 Apr 2026 09:28:40 +0200 X-Gm-Features: AQROBzCqCQmI8dzmBRwojRllFKiG3OCZ7_42Eujk1RVVjSshc9EbpMN_1acCu-M Message-ID: Subject: Re: Rotate SSL certificates on reload (SIGHUP) without restart To: Tatsuo Ishii Cc: "pgpool-hackers@lists.postgresql.org" Content-Type: multipart/alternative; boundary="0000000000004361f3064f526f0b" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --0000000000004361f3064f526f0b Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Tatsuo, Please let me know if you need any assistance with updating your test cases. I am be happy to help. Thanks, Bob On Thu, Apr 2, 2026 at 9:57=E2=80=AFPM Bob Ross = wrote: > Hi Tatsuo, > > Thanks for putting together the regression tests. > > Thoughts on your questions: > - CA Certificates - Yes, adding a cert auth test is highly recommended. W= e > could test this by generating two different dummy CA certificates. Start > pgpool trusting CA #1, swap the config to CA #2, reload and verify if > client connection correctly gets rejected. > - DH parameters - perhaps we can test this by providing a non-existent > file path and then use grep to check pgpool.log for specific warning > message (per pool_ssl.c it=E2=80=99s =E2=80=9CDH: could not load DH param= eters=E2=80=9D) when > pgpool tries to load the file. > > Regards, > Bob > > > On Wednesday, April 1, 2026, Tatsuo Ishii wrote: > >> Hi Bob, >> >> > Hi Tatsuo, >> > >> > Thanks for double-checking! Please feel free to go ahead and write the >> > regression tests if you're up for it. I'd really appreciate the help. >> >> I have written the first version of the regression test. This test >> performs: >> >> 1. Set bad value (fixed string "bad_value") to a config param and >> restart pgpool so that SSL connection does not establish between >> client and pgpool. >> >> 2. Set good value to the config and reload pgpool so that SSL >> connection establishes. >> >> The test is run against: >> ssl_cert >> ssl_ciphers >> ssl_crl_file >> ssl_ecdh_curve >> ssl_key >> >> It does not test ssl_ca_cert and ssl_ca_cert_dir because the test is >> based on 023.ssl_connection which does not check cert auth. Should we >> test cert auth as well? >> >> Also this does not test followings: >> >> - ssl_dh_params_file >> If bad value is set to the parameter, it falls back to a builtin >> value. So it is not possible to set a bad value to the parameter. >> Do you have an idea to test this? >> >> - ssl_passphrase_command >> Our cert does not require pass passphrase. >> >> - ssl_prefer_server_ciphers >> This only affects server side (backend) ciphers. The test only tests >> SSL connection between client and pgpool. >> >> Attached is the v1 patch including your patch (I have remove "-----" >> from your commit message. Otherwise the commit message cuts in the >> middle) and the test script. >> What do you think? >> >> Regards, >> -- >> Tatsuo Ishii >> SRA OSS K.K. >> English: http://www.sraoss.co.jp/index_en/ >> Japanese:http://www.sraoss.co.jp >> > --0000000000004361f3064f526f0b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Tatsuo,

Please let me know if you ne= ed any assistance with updating your test cases. I am be happy to help.

Thanks,
Bob


<= div class=3D"gmail_quote gmail_quote_container">
On Thu, Apr 2, 2026 at 9:57=E2=80=AFPM Bob Ross <bob.ross.19821@gmail.com> wrote:
=
Hi Tatsuo,=C2=A0
Thanks for putting together the regression tests.=C2=A0

Thoughts on your questions:=C2=A0
- CA Cer= tificates - Yes, adding a cert auth test is highly recommended. We could te= st this by generating two different dummy CA certificates. Start pgpool tru= sting CA #1, swap the config to CA #2, reload and verify if client connecti= on correctly gets rejected.=C2=A0
- DH parameters - perhaps we ca= n test this by providing a non-existent file path and then use grep to chec= k pgpool.log for specific warning message (per pool_ssl.c it=E2=80=99s =E2= =80=9CDH: could not load DH parameters=E2=80=9D) when pgpool tries to load = the file.=C2=A0

Regards,
Bob
<= br>

On Wednesday, April 1, 2026, Tatsuo Ishii <= ishii@postgresql.= org> wrote:
Hi = Bob,

> Hi Tatsuo,
>
> Thanks for double-checking! Please feel free to go ahead and write the=
> regression tests if you're up for it. I'd really appreciate th= e help.

I have written the first version of the regression test. This test
performs:

1. Set bad value (fixed string "bad_value") to a config param and=
=C2=A0 =C2=A0restart pgpool so that SSL connection does not establish betwe= en
=C2=A0 =C2=A0client and pgpool.

2. Set good value to the config and reload pgpool so that SSL
=C2=A0 =C2=A0connection establishes.

The test is run against:
ssl_cert
ssl_ciphers
ssl_crl_file
ssl_ecdh_curve
ssl_key

It does not test ssl_ca_cert and ssl_ca_cert_dir because the test is
based on 023.ssl_connection which does not check cert auth. Should we
test cert auth as well?

Also this does not test followings:

- ssl_dh_params_file
If bad value is set to the parameter, it falls back to a builtin
value. So it is not possible to set a bad value to the parameter.
Do you have an idea to test this?

- ssl_passphrase_command
Our cert does not require pass passphrase.

- ssl_prefer_server_ciphers
This only affects server side (backend) ciphers. The test only tests
SSL connection between client and pgpool.

Attached is the v1 patch including your patch (I have remove "-----&qu= ot;
from your commit message. Otherwise the commit message cuts in the
middle)=C2=A0 and the test script.
What do you think?

Regards,
--
Tatsuo Ishii
SRA OSS K.K.
English: ht= tp://www.sraoss.co.jp/index_en/
Japanese:http://www.s= raoss.co.jp
--0000000000004361f3064f526f0b--