public inbox for [email protected]
help / color / mirror / Atom feedRotate SSL certificates on reload (SIGHUP) without restart
21+ messages / 2 participants
[nested] [flat]
* Rotate SSL certificates on reload (SIGHUP) without restart
@ 2025-10-23 05:02 Bob Ross <[email protected]>
2025-10-24 04:44 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
0 siblings, 1 reply; 21+ messages in thread
From: Bob Ross @ 2025-10-23 05:02 UTC (permalink / raw)
To: [email protected]
Hello,
Please consider adding support for rotating SSL certificates on reloading
pgpool2 (i.e., sending SIGHUP to the pgpool parent), so that certificate
rotations do not require a full service restart. PostgreSQL can pick up new
certificates on reload/SIGHUP; pgpool currently requires a restart, which
causes connection disruptions.
*Current behavior:*
- Replace certificate/key files used by pgpool (e.g., server.crt,
server.key, related CA chain).
- Run systemctl reload pgpool2 (send SIGHUP to the pgpool parent).
- Observations: Existing and new client connections continue to present
the old certificate. Only systemctl restart pgpool2 applies the new certs
(causing connection interruptions).
*Expected behavior:*
- After systemctl reload pgpool2 / SIGHUP, pgpool should re-read
SSL-related configuration (server cert, private key, chain/CA, CRL if
configured) and use them for new client connections, without requiring a
full restart.
- Existing connections can continue with the old context; only new
handshakes should use the updated materials.
- If reload fails, log a clear error and keep using the previous context
to avoid breaking clients.
- Consider parity with PostgreSQL’s SIGHUP behavior for certificate
reloads where feasible.
Regards,
Bob Ross
^ permalink raw reply [nested|flat] 21+ messages in thread
* Re: Rotate SSL certificates on reload (SIGHUP) without restart
2025-10-23 05:02 Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
@ 2025-10-24 04:44 ` Tatsuo Ishii <[email protected]>
2026-03-16 09:20 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
0 siblings, 1 reply; 21+ messages in thread
From: Tatsuo Ishii @ 2025-10-24 04:44 UTC (permalink / raw)
To: [email protected]; +Cc: [email protected]
> Hello,
>
> Please consider adding support for rotating SSL certificates on reloading
> pgpool2 (i.e., sending SIGHUP to the pgpool parent), so that certificate
> rotations do not require a full service restart. PostgreSQL can pick up new
> certificates on reload/SIGHUP; pgpool currently requires a restart, which
> causes connection disruptions.
>
> *Current behavior:*
>
> - Replace certificate/key files used by pgpool (e.g., server.crt,
> server.key, related CA chain).
> - Run systemctl reload pgpool2 (send SIGHUP to the pgpool parent).
> - Observations: Existing and new client connections continue to present
> the old certificate. Only systemctl restart pgpool2 applies the new certs
> (causing connection interruptions).
Yes, that's the current behavior as described in the docs.
> *Expected behavior:*
>
> - After systemctl reload pgpool2 / SIGHUP, pgpool should re-read
> SSL-related configuration (server cert, private key, chain/CA, CRL if
> configured) and use them for new client connections, without requiring a
> full restart.
Doable but needs major surgery to the SSL subsystem
(src/utils/pool_ssl.c) as it assumes that SSL configurations are never
changed until restarting.
> - Existing connections can continue with the old context; only new
> handshakes should use the updated materials.
Probably doable.
> - If reload fails, log a clear error and keep using the previous context
> to avoid breaking clients.
> - Consider parity with PostgreSQL’s SIGHUP behavior for certificate
> reloads where feasible.
Not sure if it's doable. Needs more research on current code.
BTW, PostgreSQL behaves interestingly.
# "server.key" is the correct ssl_key_file.
test=# show ssl_key_file;
ssl_key_file
--------------
server.key
(1 row)
test=# \q
t-ishii$ psql -p 11002 -h localhost test
psql (18.0)
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, compression: off, ALPN: postgresql)
Type "help" for help.
# Change ssl_key_file to "server.key1" which does not exists.
# and reload
t-ishii$ pg_ctl -D data0 reload
server signaled
# keep on using SSL connection
t-ishii$ psql -p 11002 -h localhost test
psql (18.0)
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, compression: off, ALPN: postgresql)
Type "help" for help.
# It seems PostgreSQL keep on using th previous ssl_key_file value,
# but it shows the new ssl_key_file value.
test=# show ssl_key_file;
ssl_key_file
--------------
server.key1
(1 row)
Best regards,
--
Tatsuo Ishii
SRA OSS K.K.
English: http://www.sraoss.co.jp/index_en/
Japanese:http://www.sraoss.co.jp
^ permalink raw reply [nested|flat] 21+ messages in thread
* Re: Rotate SSL certificates on reload (SIGHUP) without restart
2025-10-23 05:02 Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2025-10-24 04:44 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
@ 2026-03-16 09:20 ` Bob Ross <[email protected]>
2026-03-19 10:22 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
0 siblings, 1 reply; 21+ messages in thread
From: Bob Ross @ 2026-03-16 09:20 UTC (permalink / raw)
To: Tatsuo Ishii <[email protected]>; +Cc: [email protected]
Hi Tatsuo,
Have there been any further considerations regarding changes to the pgPool
codebase to support SSL certificate rotation on reload?
As DigiCert has announced last year (
https://www.digicert.com/blog/tls-certificate-lifetimes-will-officially-reduce-to-47-days),
TLS/SSL certificate lifetimes will be reduced progressively in the coming
years, with the industry moving toward much shorter validity periods. This
makes the current requirement to fully restart the service for certificate
renewal increasingly impractical.
Please let us know whether this enhancement is being considered, or if
there are any plans or timelines for addressing it.
Regards,
Bob
On Fri, Oct 24, 2025 at 6:44 AM Tatsuo Ishii <[email protected]> wrote:
> > Hello,
> >
> > Please consider adding support for rotating SSL certificates on reloading
> > pgpool2 (i.e., sending SIGHUP to the pgpool parent), so that certificate
> > rotations do not require a full service restart. PostgreSQL can pick up
> new
> > certificates on reload/SIGHUP; pgpool currently requires a restart, which
> > causes connection disruptions.
> >
> > *Current behavior:*
> >
> > - Replace certificate/key files used by pgpool (e.g., server.crt,
> > server.key, related CA chain).
> > - Run systemctl reload pgpool2 (send SIGHUP to the pgpool parent).
> > - Observations: Existing and new client connections continue to
> present
> > the old certificate. Only systemctl restart pgpool2 applies the new
> certs
> > (causing connection interruptions).
>
> Yes, that's the current behavior as described in the docs.
>
> > *Expected behavior:*
> >
> > - After systemctl reload pgpool2 / SIGHUP, pgpool should re-read
> > SSL-related configuration (server cert, private key, chain/CA, CRL if
> > configured) and use them for new client connections, without
> requiring a
> > full restart.
>
> Doable but needs major surgery to the SSL subsystem
> (src/utils/pool_ssl.c) as it assumes that SSL configurations are never
> changed until restarting.
>
> > - Existing connections can continue with the old context; only new
> > handshakes should use the updated materials.
>
> Probably doable.
>
> > - If reload fails, log a clear error and keep using the previous
> context
> > to avoid breaking clients.
> > - Consider parity with PostgreSQL’s SIGHUP behavior for certificate
> > reloads where feasible.
>
> Not sure if it's doable. Needs more research on current code.
>
> BTW, PostgreSQL behaves interestingly.
>
> # "server.key" is the correct ssl_key_file.
>
> test=# show ssl_key_file;
> ssl_key_file
> --------------
> server.key
> (1 row)
>
> test=# \q
> t-ishii$ psql -p 11002 -h localhost test
> psql (18.0)
> SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384,
> compression: off, ALPN: postgresql)
> Type "help" for help.
>
> # Change ssl_key_file to "server.key1" which does not exists.
> # and reload
>
> t-ishii$ pg_ctl -D data0 reload
> server signaled
>
> # keep on using SSL connection
>
> t-ishii$ psql -p 11002 -h localhost test
> psql (18.0)
> SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384,
> compression: off, ALPN: postgresql)
> Type "help" for help.
>
> # It seems PostgreSQL keep on using th previous ssl_key_file value,
> # but it shows the new ssl_key_file value.
>
> test=# show ssl_key_file;
> ssl_key_file
> --------------
> server.key1
> (1 row)
>
> Best regards,
> --
> Tatsuo Ishii
> SRA OSS K.K.
> English: http://www.sraoss.co.jp/index_en/
> Japanese:http://www.sraoss.co.jp
>
^ permalink raw reply [nested|flat] 21+ messages in thread
* Re: Rotate SSL certificates on reload (SIGHUP) without restart
2025-10-23 05:02 Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2025-10-24 04:44 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-16 09:20 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
@ 2026-03-19 10:22 ` Tatsuo Ishii <[email protected]>
2026-03-25 11:04 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
0 siblings, 1 reply; 21+ messages in thread
From: Tatsuo Ishii @ 2026-03-19 10:22 UTC (permalink / raw)
To: [email protected]; +Cc: [email protected]
Hi Bob,
> Hi Tatsuo,
>
> Have there been any further considerations regarding changes to the pgPool
> codebase to support SSL certificate rotation on reload?
>
> As DigiCert has announced last year (
> https://www.digicert.com/blog/tls-certificate-lifetimes-will-officially-reduce-to-47-days),
> TLS/SSL certificate lifetimes will be reduced progressively in the coming
> years, with the industry moving toward much shorter validity periods. This
> makes the current requirement to fully restart the service for certificate
> renewal increasingly impractical.
>
> Please let us know whether this enhancement is being considered, or if
> there are any plans or timelines for addressing it.
I just have too many things to do for now (fixing bugs and evaluating
proposed patches), and I cannot estimate timelines for this. Plus, I
am not super familiar with this are (SSL). If you could provide
patches for this, it would greatly help me.
Best regards,
--
Tatsuo Ishii
SRA OSS K.K.
English: http://www.sraoss.co.jp/index_en/
Japanese:http://www.sraoss.co.jp
^ permalink raw reply [nested|flat] 21+ messages in thread
* Re: Rotate SSL certificates on reload (SIGHUP) without restart
2025-10-23 05:02 Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2025-10-24 04:44 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-16 09:20 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-19 10:22 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
@ 2026-03-25 11:04 ` Bob Ross <[email protected]>
2026-03-26 08:07 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
0 siblings, 1 reply; 21+ messages in thread
From: Bob Ross @ 2026-03-25 11:04 UTC (permalink / raw)
To: Tatsuo Ishii <[email protected]>; +Cc: [email protected]
Hi Tatsuo,
Please find the attached patch that implements this feature. This patch
allows Pgpool-II to pick up rotated TLS certificates upon receiving a
SIGHUP without a restart, aligning its behavior with PG 12+.
As this is my first time contributing to the Pgpool-II project, please bear
with me if I missed any specific formatting or submission conventions. I am
happy to make any necessary adjustments to the code.
Thanks,
Bob
On Thu, Mar 19, 2026 at 11:22 AM Tatsuo Ishii <[email protected]> wrote:
> Hi Bob,
>
> > Hi Tatsuo,
> >
> > Have there been any further considerations regarding changes to the
> pgPool
> > codebase to support SSL certificate rotation on reload?
> >
> > As DigiCert has announced last year (
> >
> https://www.digicert.com/blog/tls-certificate-lifetimes-will-officially-reduce-to-47-days
> ),
> > TLS/SSL certificate lifetimes will be reduced progressively in the coming
> > years, with the industry moving toward much shorter validity periods.
> This
> > makes the current requirement to fully restart the service for
> certificate
> > renewal increasingly impractical.
> >
> > Please let us know whether this enhancement is being considered, or if
> > there are any plans or timelines for addressing it.
>
> I just have too many things to do for now (fixing bugs and evaluating
> proposed patches), and I cannot estimate timelines for this. Plus, I
> am not super familiar with this are (SSL). If you could provide
> patches for this, it would greatly help me.
>
> Best regards,
> --
> Tatsuo Ishii
> SRA OSS K.K.
> English: http://www.sraoss.co.jp/index_en/
> Japanese:http://www.sraoss.co.jp
>
Attachments:
[application/octet-stream] 0001-feat-reload-SSL-certificates-on-SIGHUP.c (7.2K, 3-0001-feat-reload-SSL-certificates-on-SIGHUP.c)
download
^ permalink raw reply [nested|flat] 21+ messages in thread
* Re: Rotate SSL certificates on reload (SIGHUP) without restart
2025-10-23 05:02 Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2025-10-24 04:44 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-16 09:20 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-19 10:22 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-25 11:04 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
@ 2026-03-26 08:07 ` Tatsuo Ishii <[email protected]>
2026-03-26 10:19 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
0 siblings, 1 reply; 21+ messages in thread
From: Tatsuo Ishii @ 2026-03-26 08:07 UTC (permalink / raw)
To: [email protected]; +Cc: [email protected]
Hi Bob,
> Hi Tatsuo,
>
> Please find the attached patch that implements this feature. This patch
> allows Pgpool-II to pick up rotated TLS certificates upon receiving a
> SIGHUP without a restart, aligning its behavior with PG 12+.
> As this is my first time contributing to the Pgpool-II project, please bear
> with me if I missed any specific formatting or submission conventions. I am
> happy to make any necessary adjustments to the code.
Thank you for the patch! I will look into the patch.
Regards,
--
Tatsuo Ishii
SRA OSS K.K.
English: http://www.sraoss.co.jp/index_en/
Japanese:http://www.sraoss.co.jp
^ permalink raw reply [nested|flat] 21+ messages in thread
* Re: Rotate SSL certificates on reload (SIGHUP) without restart
2025-10-23 05:02 Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2025-10-24 04:44 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-16 09:20 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-19 10:22 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-25 11:04 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-26 08:07 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
@ 2026-03-26 10:19 ` Tatsuo Ishii <[email protected]>
2026-03-27 18:16 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
0 siblings, 1 reply; 21+ messages in thread
From: Tatsuo Ishii @ 2026-03-26 10:19 UTC (permalink / raw)
To: [email protected]; +Cc: [email protected]
Hi Bob,
> Thank you for the patch! I will look into the patch.
I skimmed through the patch. You changed main.c and child.c to call
SSL_ServerSide_init() so that they reload new SSL parameters. However,
in Pgpool-II there are two more places which could use SSL connection
to PostgreSQL server: health check and streaming replication check. I
suspect they need to call SSL_ServerSide_init() while reloading the
config file. What do you think?
Regards,
--
Tatsuo Ishii
SRA OSS K.K.
English: http://www.sraoss.co.jp/index_en/
Japanese:http://www.sraoss.co.jp
^ permalink raw reply [nested|flat] 21+ messages in thread
* Re: Rotate SSL certificates on reload (SIGHUP) without restart
2025-10-23 05:02 Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2025-10-24 04:44 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-16 09:20 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-19 10:22 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-25 11:04 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-26 08:07 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-26 10:19 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
@ 2026-03-27 18:16 ` Bob Ross <[email protected]>
2026-03-31 09:48 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
0 siblings, 1 reply; 21+ messages in thread
From: Bob Ross @ 2026-03-27 18:16 UTC (permalink / raw)
To: Tatsuo Ishii <[email protected]>; +Cc: [email protected]
Hi Tatsuo,
I believe no additional changes are needed for healthcheck and streaming
replication check.
My patch focuses on the frontend-accept path, where SSL_ServerSide_init()
maintains a process-wide cached SSL_frontend_context reused across incoming
TLS handshakes, and therefore must be explicitly refreshed on reload.
In contrast, the health check (src/main/health_check.c) and the SR check
worker (src/streaming_replication/pool_worker_child.c) establish outgoing
connections to PostgreSQL backends via pool_ssl_negotiate_clientserver().
This invokes init_ssl_ctx() for each new connection, creating a fresh
SSL_CTX and reading SSL-related settings (ssl_cert, ssl_key, ssl_ca_cert,
etc.) directly from pool_config at connection time. There is no long-lived
SSL context to refresh in these processes.
Given that the SSL configuration parameters are now marked as CFGCXT_RELOAD
in src/config/pool_config_variables.c, a SIGHUP causes both processes to
reload pool_config via their respective reload_config() functions. As a
result, subsequent outgoing backend connections will naturally pick up the
updated certificate settings.
Please let me know what you think.
Best regards,
Bob
On Thu, Mar 26, 2026 at 11:19 AM Tatsuo Ishii <[email protected]> wrote:
> Hi Bob,
>
> > Thank you for the patch! I will look into the patch.
>
> I skimmed through the patch. You changed main.c and child.c to call
> SSL_ServerSide_init() so that they reload new SSL parameters. However,
> in Pgpool-II there are two more places which could use SSL connection
> to PostgreSQL server: health check and streaming replication check. I
> suspect they need to call SSL_ServerSide_init() while reloading the
> config file. What do you think?
>
> Regards,
> --
> Tatsuo Ishii
> SRA OSS K.K.
> English: http://www.sraoss.co.jp/index_en/
> Japanese:http://www.sraoss.co.jp
>
^ permalink raw reply [nested|flat] 21+ messages in thread
* Re: Rotate SSL certificates on reload (SIGHUP) without restart
2025-10-23 05:02 Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2025-10-24 04:44 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-16 09:20 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-19 10:22 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-25 11:04 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-26 08:07 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-26 10:19 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-27 18:16 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
@ 2026-03-31 09:48 ` Tatsuo Ishii <[email protected]>
2026-03-31 09:53 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
0 siblings, 1 reply; 21+ messages in thread
From: Tatsuo Ishii @ 2026-03-31 09:48 UTC (permalink / raw)
To: [email protected]; +Cc: [email protected]
> Hi Tatsuo,
>
> I believe no additional changes are needed for healthcheck and streaming
> replication check.
>
> My patch focuses on the frontend-accept path, where SSL_ServerSide_init()
> maintains a process-wide cached SSL_frontend_context reused across incoming
> TLS handshakes, and therefore must be explicitly refreshed on reload.
>
> In contrast, the health check (src/main/health_check.c) and the SR check
> worker (src/streaming_replication/pool_worker_child.c) establish outgoing
> connections to PostgreSQL backends via pool_ssl_negotiate_clientserver().
> This invokes init_ssl_ctx() for each new connection, creating a fresh
> SSL_CTX and reading SSL-related settings (ssl_cert, ssl_key, ssl_ca_cert,
> etc.) directly from pool_config at connection time. There is no long-lived
> SSL context to refresh in these processes.
>
> Given that the SSL configuration parameters are now marked as CFGCXT_RELOAD
> in src/config/pool_config_variables.c, a SIGHUP causes both processes to
> reload pool_config via their respective reload_config() functions. As a
> result, subsequent outgoing backend connections will naturally pick up the
> updated certificate settings.
Thank you for the explanation. Yes, health check and SR check worker
establish connection to backend every time they need. I should have
remembered that.
I am going to write a regression test for this feature unless you are
willing to work on it.
Regards,
--
Tatsuo Ishii
SRA OSS K.K.
English: http://www.sraoss.co.jp/index_en/
Japanese:http://www.sraoss.co.jp
^ permalink raw reply [nested|flat] 21+ messages in thread
* Re: Rotate SSL certificates on reload (SIGHUP) without restart
2025-10-23 05:02 Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2025-10-24 04:44 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-16 09:20 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-19 10:22 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-25 11:04 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-26 08:07 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-26 10:19 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-27 18:16 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-31 09:48 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
@ 2026-03-31 09:53 ` Bob Ross <[email protected]>
2026-04-01 09:05 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
0 siblings, 1 reply; 21+ messages in thread
From: Bob Ross @ 2026-03-31 09:53 UTC (permalink / raw)
To: Tatsuo Ishii <[email protected]>; +Cc: [email protected]
Hi Tatsuo,
Thanks for double-checking! Please feel free to go ahead and write the
regression tests if you're up for it. I'd really appreciate the help.
Regards,
Bob
On Tue, Mar 31, 2026 at 11:48 AM Tatsuo Ishii <[email protected]> wrote:
> > Hi Tatsuo,
> >
> > I believe no additional changes are needed for healthcheck and streaming
> > replication check.
> >
> > My patch focuses on the frontend-accept path, where SSL_ServerSide_init()
> > maintains a process-wide cached SSL_frontend_context reused across
> incoming
> > TLS handshakes, and therefore must be explicitly refreshed on reload.
> >
> > In contrast, the health check (src/main/health_check.c) and the SR check
> > worker (src/streaming_replication/pool_worker_child.c) establish outgoing
> > connections to PostgreSQL backends via pool_ssl_negotiate_clientserver().
> > This invokes init_ssl_ctx() for each new connection, creating a fresh
> > SSL_CTX and reading SSL-related settings (ssl_cert, ssl_key, ssl_ca_cert,
> > etc.) directly from pool_config at connection time. There is no
> long-lived
> > SSL context to refresh in these processes.
> >
> > Given that the SSL configuration parameters are now marked as
> CFGCXT_RELOAD
> > in src/config/pool_config_variables.c, a SIGHUP causes both processes to
> > reload pool_config via their respective reload_config() functions. As a
> > result, subsequent outgoing backend connections will naturally pick up
> the
> > updated certificate settings.
>
> Thank you for the explanation. Yes, health check and SR check worker
> establish connection to backend every time they need. I should have
> remembered that.
>
> I am going to write a regression test for this feature unless you are
> willing to work on it.
>
> Regards,
> --
> Tatsuo Ishii
> SRA OSS K.K.
> English: http://www.sraoss.co.jp/index_en/
> Japanese:http://www.sraoss.co.jp
>
^ permalink raw reply [nested|flat] 21+ messages in thread
* Re: Rotate SSL certificates on reload (SIGHUP) without restart
2025-10-23 05:02 Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2025-10-24 04:44 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-16 09:20 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-19 10:22 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-25 11:04 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-26 08:07 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-26 10:19 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-27 18:16 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-31 09:48 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-31 09:53 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
@ 2026-04-01 09:05 ` Tatsuo Ishii <[email protected]>
2026-04-02 19:57 ` Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
0 siblings, 1 reply; 21+ messages in thread
From: Tatsuo Ishii @ 2026-04-01 09:05 UTC (permalink / raw)
To: [email protected]; +Cc: [email protected]
Hi Bob,
> Hi Tatsuo,
>
> Thanks for double-checking! Please feel free to go ahead and write the
> regression tests if you're up for it. I'd really appreciate the help.
I have written the first version of the regression test. This test
performs:
1. Set bad value (fixed string "bad_value") to a config param and
restart pgpool so that SSL connection does not establish between
client and pgpool.
2. Set good value to the config and reload pgpool so that SSL
connection establishes.
The test is run against:
ssl_cert
ssl_ciphers
ssl_crl_file
ssl_ecdh_curve
ssl_key
It does not test ssl_ca_cert and ssl_ca_cert_dir because the test is
based on 023.ssl_connection which does not check cert auth. Should we
test cert auth as well?
Also this does not test followings:
- ssl_dh_params_file
If bad value is set to the parameter, it falls back to a builtin
value. So it is not possible to set a bad value to the parameter.
Do you have an idea to test this?
- ssl_passphrase_command
Our cert does not require pass passphrase.
- ssl_prefer_server_ciphers
This only affects server side (backend) ciphers. The test only tests
SSL connection between client and pgpool.
Attached is the v1 patch including your patch (I have remove "-----"
from your commit message. Otherwise the commit message cuts in the
middle) and the test script.
What do you think?
Regards,
--
Tatsuo Ishii
SRA OSS K.K.
English: http://www.sraoss.co.jp/index_en/
Japanese:http://www.sraoss.co.jp
Attachments:
[application/octet-stream] v1-0001-Feature-reload-SSL-certificates-on-SIGHUP-without.patch (24.3K, 2-v1-0001-Feature-reload-SSL-certificates-on-SIGHUP-without.patch)
download | inline diff:
From c97fc6e9d4acb3f5071e473db3b34577f2498d59 Mon Sep 17 00:00:00 2001
From: Tatsuo Ishii <[email protected]>
Date: Wed, 1 Apr 2026 16:43:42 +0900
Subject: [PATCH v1] Feature: reload SSL certificates on SIGHUP without restart
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Allow Pgpool-II to pick up rotated TLS certificates (and any change to
SSL-related configuration) when receiving SIGHUP (i.e. systemctl reload
pgpool2), matching the behavior PostgreSQL has had since PostgreSQL 12.
Problem:
All SSL configuration parameters (ssl_cert, ssl_key, ssl_ca_cert,
ssl_ciphers, etc.) were declared CFGCXT_INIT, meaning they were silently
ignored when pool_get_config() was called under CFGCXT_RELOAD.
Furthermore, SSL_ServerSide_init() was only called once at startup in
main.c and never again, so the in-memory SSL_CTX was never refreshed.
Fix:
1. src/main/pgpool_main.c
- Include utils/pool_ssl.h.
- In reload_config(), call SSL_ServerSide_init() (guarded by
#ifdef USE_SSL) *before* kill_all_children(SIGHUP). The function
already replaces SSL_frontend_context atomically: it frees the old
SSL_CTX only after a new one has been created successfully, so a
failed reload leaves the existing context intact.
2. src/protocol/child.c
- In check_config_reload(), call SSL_ServerSide_init() (guarded by
#ifdef USE_SSL) so each worker child also refreshes its own copy of
the SSL context for subsequent new connections. In-flight TLS
sessions are unaffected because they hold a direct reference to the
SSL object, not to SSL_frontend_context.
3. src/config/pool_config_variables.c
- Change CFGCXT_INIT -> CFGCXT_RELOAD for:
ssl_prefer_server_ciphers, ssl_cert, ssl_key, ssl_ca_cert,
ssl_ca_cert_dir, ssl_crl_file, ssl_ciphers, ssl_ecdh_curve,
ssl_dh_params_file, ssl_passphrase_command.
- The 'ssl' boolean (master enable flag) is intentionally left as
CFGCXT_INIT because dynamically enabling SSL at runtime is a
larger, separate concern.
Usage after this change:
Standard in-place certificate rotation (cert-manager, ACME, manual
openssl refresh at the same path):
# replace /etc/pgpool/server.{crt,key} with new files
systemctl reload pgpool2
# or: pgpool -f /etc/pgpool/pgpool.conf reload
New connections will use the new certificates after workers process
the reload signal. Existing connections are not interrupted.
Switching to a different certificate path also works: update
pgpool.conf then reload — the new paths are now accepted in
CFGCXT_RELOAD context.
Author: Bob Ross <[email protected]>
Reviewed-by: Tatsuo Ishii <[email protected]>
Discussion: https://www.postgresql.org/message-id/flat/CAHtZvrddqfbnERYY_DqgURWCjuXeTjM0y08k-ZP_B0bAHYx2ag%40mail.gmail.com
---
src/config/pool_config_variables.c | 20 +-
src/main/pgpool_main.c | 17 ++
src/protocol/child.c | 11 +
.../regression/tests/042.ssl_reload/README | 6 +
.../tests/042.ssl_reload/server.crt | 79 ++++++++
.../tests/042.ssl_reload/server.key | 27 +++
.../tests/042.ssl_reload/server.req | 61 ++++++
.../regression/tests/042.ssl_reload/test.sh | 189 ++++++++++++++++++
8 files changed, 400 insertions(+), 10 deletions(-)
create mode 100644 src/test/regression/tests/042.ssl_reload/README
create mode 100644 src/test/regression/tests/042.ssl_reload/server.crt
create mode 100644 src/test/regression/tests/042.ssl_reload/server.key
create mode 100644 src/test/regression/tests/042.ssl_reload/server.req
create mode 100755 src/test/regression/tests/042.ssl_reload/test.sh
diff --git a/src/config/pool_config_variables.c b/src/config/pool_config_variables.c
index ce13c42f6..ca40c341a 100644
--- a/src/config/pool_config_variables.c
+++ b/src/config/pool_config_variables.c
@@ -705,7 +705,7 @@ static struct config_bool ConfigureNamesBool[] =
},
{
- {"ssl_prefer_server_ciphers", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_prefer_server_ciphers", CFGCXT_RELOAD, SSL_CONFIG,
"Use server's SSL cipher preferences, rather than the client's",
CONFIG_VAR_TYPE_BOOL, false, 0
},
@@ -1271,7 +1271,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_cert", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_cert", CFGCXT_RELOAD, SSL_CONFIG,
"SSL public certificate file.",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1281,7 +1281,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_key", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_key", CFGCXT_RELOAD, SSL_CONFIG,
"SSL private key file.",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1291,7 +1291,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_ca_cert", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_ca_cert", CFGCXT_RELOAD, SSL_CONFIG,
"Single PEM format file containing CA root certificate(s).",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1301,7 +1301,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_ca_cert_dir", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_ca_cert_dir", CFGCXT_RELOAD, SSL_CONFIG,
"Directory containing CA root certificate(s).",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1311,7 +1311,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_crl_file", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_crl_file", CFGCXT_RELOAD, SSL_CONFIG,
"SSL certificate revocation list file",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1321,7 +1321,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_ciphers", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_ciphers", CFGCXT_RELOAD, SSL_CONFIG,
"Allowed SSL ciphers.",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1331,7 +1331,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_ecdh_curve", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_ecdh_curve", CFGCXT_RELOAD, SSL_CONFIG,
"The curve to use in ECDH key exchange.",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1341,7 +1341,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_dh_params_file", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_dh_params_file", CFGCXT_RELOAD, SSL_CONFIG,
"Path to the Diffie-Hellman parameters contained file",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1351,7 +1351,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_passphrase_command", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_passphrase_command", CFGCXT_RELOAD, SSL_CONFIG,
"Path to the Diffie-Hellman parameters contained file",
CONFIG_VAR_TYPE_STRING, false, 0
},
diff --git a/src/main/pgpool_main.c b/src/main/pgpool_main.c
index bf7c452e2..0a9c92826 100644
--- a/src/main/pgpool_main.c
+++ b/src/main/pgpool_main.c
@@ -61,6 +61,7 @@
#include "watchdog/wd_lifecheck.h"
#include "watchdog/watchdog.h"
#include "pcp/pcp_worker.h"
+#include "utils/pool_ssl.h"
#include <grp.h>
/*
@@ -3489,6 +3490,22 @@ reload_config(void)
if (pool_config->enable_pool_hba)
load_hba(hba_file);
+#ifdef USE_SSL
+ /*
+ * If SSL is enabled, re-initialize the SSL context so that new
+ * connections pick up rotated certificates without requiring a restart.
+ * SSL_ServerSide_init() is safe to call repeatedly: it frees and replaces
+ * the existing SSL_CTX only on success, leaving the old context intact on
+ * failure.
+ */
+ if (pool_config->ssl)
+ {
+ ereport(LOG,
+ (errmsg("reload SSL certificates.")));
+ SSL_ServerSide_init();
+ }
+#endif /* USE_SSL */
+
kill_all_children(SIGHUP);
}
diff --git a/src/protocol/child.c b/src/protocol/child.c
index c34f05728..713bfe28f 100644
--- a/src/protocol/child.c
+++ b/src/protocol/child.c
@@ -1796,6 +1796,17 @@ check_config_reload(void)
if (strcmp("", pool_config->pool_passwd))
pool_reopen_passwd_file();
+#ifdef USE_SSL
+ /*
+ * Re-initialize the frontend SSL context so this child process
+ * serves new connections with any rotated certificates without a
+ * restart. In-flight TLS sessions are unaffected; they hold a
+ * direct reference to the old SSL object.
+ */
+ if (pool_config->ssl)
+ SSL_ServerSide_init();
+#endif /* USE_SSL */
+
got_sighup = 0;
}
}
diff --git a/src/test/regression/tests/042.ssl_reload/README b/src/test/regression/tests/042.ssl_reload/README
new file mode 100644
index 000000000..c73cf0bd3
--- /dev/null
+++ b/src/test/regression/tests/042.ssl_reload/README
@@ -0,0 +1,6 @@
+The sample server.key and server.crt was created by using following commands:
+
+openssl req -new -text -out server.req
+openssl rsa -in privkey.pem -out server.key
+rm privkey.pem
+openssl req -x509 -days 3650 -in server.req -text -key server.key -out server.crt
diff --git a/src/test/regression/tests/042.ssl_reload/server.crt b/src/test/regression/tests/042.ssl_reload/server.crt
new file mode 100644
index 000000000..90d5e08e7
--- /dev/null
+++ b/src/test/regression/tests/042.ssl_reload/server.crt
@@ -0,0 +1,79 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ f4:86:4a:aa:50:42:63:dc
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
+ Validity
+ Not Before: Aug 29 02:52:36 2018 GMT
+ Not After : Aug 26 02:52:36 2028 GMT
+ Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:f4:e3:30:f0:09:e2:43:0e:a1:67:2e:3b:ef:b5:
+ 88:1e:4e:a9:06:fa:f2:94:8b:fa:4f:0a:9f:e0:57:
+ 45:95:2c:c1:18:1d:21:6d:c8:5c:2a:05:94:0b:c6:
+ 49:c5:97:88:ac:88:ba:73:fb:81:28:eb:e1:cd:7f:
+ 9d:fb:e0:c5:0d:ef:35:cc:12:b8:74:0b:a1:e9:65:
+ d4:19:38:9b:a8:e1:c5:ef:d5:f1:9c:cf:8a:de:bf:
+ fa:d7:6c:f9:d7:85:10:db:9f:e9:03:e9:7e:f1:81:
+ de:9d:f3:b3:a3:6f:19:31:c8:bb:31:c0:e7:7d:ea:
+ 6b:02:98:21:7c:c2:f5:9d:0d:7c:85:2b:5d:81:7c:
+ 71:74:42:89:ab:5c:31:ac:19:fd:c2:0b:fb:e5:c2:
+ b2:54:15:64:40:9c:bf:ed:d2:b1:bb:75:f9:e9:d8:
+ 67:b3:4e:63:c4:3e:f4:8a:2c:87:50:27:dd:22:97:
+ f1:f7:26:49:87:03:55:08:a4:d2:44:21:e1:9a:33:
+ 82:96:09:b3:08:65:bc:a8:3a:f4:64:f3:60:62:d0:
+ 98:d9:82:0c:1b:be:b6:9c:22:e8:7f:e6:eb:20:d9:
+ 71:67:2c:d5:14:83:aa:f1:37:75:98:4c:68:1d:95:
+ fe:1f:ec:cb:9b:17:9c:f4:92:22:da:bb:78:46:f3:
+ de:7d
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Key Identifier:
+ 68:ED:A7:FE:1E:36:26:18:80:2B:C6:A2:07:23:1C:A4:00:57:16:68
+ X509v3 Authority Key Identifier:
+ keyid:68:ED:A7:FE:1E:36:26:18:80:2B:C6:A2:07:23:1C:A4:00:57:16:68
+
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ Signature Algorithm: sha256WithRSAEncryption
+ dd:61:62:83:6e:fa:e8:8a:1b:02:c6:9f:7f:f3:52:f8:04:5c:
+ c9:35:f9:4c:1d:4f:0f:9f:6c:a2:18:95:f0:76:93:e5:99:58:
+ 4a:88:7a:54:68:cf:28:64:8e:01:3f:fb:7e:28:6f:ad:c6:08:
+ a2:09:77:4c:13:4b:1d:68:70:38:91:d4:dc:f7:c3:c8:81:36:
+ 48:b9:01:46:f9:fa:e8:f7:ba:fe:23:4c:e3:27:a9:58:2d:a6:
+ 3d:88:ac:b8:71:9b:84:ec:bd:82:c4:45:1d:ba:77:ed:73:54:
+ a9:16:76:80:40:0b:80:42:47:60:84:cf:41:e0:0f:8e:85:d3:
+ 28:36:fb:f6:8c:f8:c6:20:b3:c4:06:cc:2d:6d:37:78:b4:d5:
+ 4d:14:db:f0:04:56:66:d8:5a:cc:ff:bd:0c:19:6d:39:bf:26:
+ ac:17:0c:91:a4:68:4b:bc:86:4f:0a:10:81:b5:ac:1e:a6:78:
+ b1:7f:e9:f3:9e:1b:32:92:b2:8f:f7:e2:a3:ae:44:e2:99:b0:
+ 04:0a:15:eb:7a:37:10:b2:7b:ef:35:6c:a5:db:13:96:42:e9:
+ 22:3c:72:6a:34:16:0d:b5:2c:49:f3:83:c7:ff:da:ec:57:14:
+ ab:0d:8d:76:8f:f0:a2:21:4f:88:54:bc:2f:c6:b9:7b:8c:da:
+ 42:9a:b1:12
+-----BEGIN CERTIFICATE-----
+MIIDYDCCAkigAwIBAgIJAPSGSqpQQmPcMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQwHhcNMTgwODI5MDI1MjM2WhcNMjgwODI2MDI1MjM2WjBF
+MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
+ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEA9OMw8AniQw6hZy4777WIHk6pBvrylIv6Twqf4FdFlSzBGB0hbchcKgWU
+C8ZJxZeIrIi6c/uBKOvhzX+d++DFDe81zBK4dAuh6WXUGTibqOHF79XxnM+K3r/6
+12z514UQ25/pA+l+8YHenfOzo28ZMci7McDnfeprApghfML1nQ18hStdgXxxdEKJ
+q1wxrBn9wgv75cKyVBVkQJy/7dKxu3X56dhns05jxD70iiyHUCfdIpfx9yZJhwNV
+CKTSRCHhmjOClgmzCGW8qDr0ZPNgYtCY2YIMG762nCLof+brINlxZyzVFIOq8Td1
+mExoHZX+H+zLmxec9JIi2rt4RvPefQIDAQABo1MwUTAdBgNVHQ4EFgQUaO2n/h42
+JhiAK8aiByMcpABXFmgwHwYDVR0jBBgwFoAUaO2n/h42JhiAK8aiByMcpABXFmgw
+DwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEA3WFig2766IobAsaf
+f/NS+ARcyTX5TB1PD59sohiV8HaT5ZlYSoh6VGjPKGSOAT/7fihvrcYIogl3TBNL
+HWhwOJHU3PfDyIE2SLkBRvn66Pe6/iNM4yepWC2mPYisuHGbhOy9gsRFHbp37XNU
+qRZ2gEALgEJHYITPQeAPjoXTKDb79oz4xiCzxAbMLW03eLTVTRTb8ARWZthazP+9
+DBltOb8mrBcMkaRoS7yGTwoQgbWsHqZ4sX/p854bMpKyj/fio65E4pmwBAoV63o3
+ELJ77zVspdsTlkLpIjxyajQWDbUsSfODx//a7FcUqw2Ndo/woiFPiFS8L8a5e4za
+QpqxEg==
+-----END CERTIFICATE-----
diff --git a/src/test/regression/tests/042.ssl_reload/server.key b/src/test/regression/tests/042.ssl_reload/server.key
new file mode 100644
index 000000000..0ddd69303
--- /dev/null
+++ b/src/test/regression/tests/042.ssl_reload/server.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA9OMw8AniQw6hZy4777WIHk6pBvrylIv6Twqf4FdFlSzBGB0h
+bchcKgWUC8ZJxZeIrIi6c/uBKOvhzX+d++DFDe81zBK4dAuh6WXUGTibqOHF79Xx
+nM+K3r/612z514UQ25/pA+l+8YHenfOzo28ZMci7McDnfeprApghfML1nQ18hStd
+gXxxdEKJq1wxrBn9wgv75cKyVBVkQJy/7dKxu3X56dhns05jxD70iiyHUCfdIpfx
+9yZJhwNVCKTSRCHhmjOClgmzCGW8qDr0ZPNgYtCY2YIMG762nCLof+brINlxZyzV
+FIOq8Td1mExoHZX+H+zLmxec9JIi2rt4RvPefQIDAQABAoIBAD6EfaraKxxJcOUh
+hYWlx3FNTZONnz5TGfzxzmz8erQhr84TKcSYIQdNU0VKQu0hyW+anFcdvxSOW6AV
+02RJNqVfC1Hk+ZgOnDA0odgqfnq34MtgyATrax2Az24N0R63Rt16zocEJjdLm2Sh
+oZu4sirmfvutrquTm+wWoH30W7XTCrd17thq8+5VBumXLW4sr40PWXcfPC1Od7JH
+utYZ0lGxr89fhuPpnpLw7V67EdslwmYl8avhzrUlzkXPqufZ33XdWFi/IXoNjMZ2
+MFgZFNKHv682nqjrrodyn4iXEzMSj4z4QLTNxoH79HWvCb2HjUpEWTNrfdu3LNCZ
+FahqHmECgYEA/5MmEEB2GNlhaMP+NMK/3x9RCfDfleqEdExf0KA6TuISNYUgeEeB
+dfczCN8WtxyDMor6fvwINxEAHX64/CompE/ya+Z25VdBQMcLpNVGS01aDdrqWN5B
+4qG8OyK3+eAjCnvyCzWsvvpK1I5u65q6+Q+Cw1wQaxYzhsZkEazQ0OkCgYEA9Ut9
+m74RMGudjkvJK7JIPLDLGEsko+yrh8IuoGn/wLpUJwmkZFQu8HRqdddMVjwQi4CN
+IDScbvyH0uE2yN+gg/BB0eBIyhfrI3xl6FJIQBnI0/7wmb2U82OT0LS18h9n8dAK
++mONcR3zL7XDe8xy1qTS0jjd1QT1QS4YLGPCxHUCgYEAowftCgT00NkqaDhOWr24
+w84oVd0P44QcRkvJ+z2atGNGFln74n5KuUOdjJUy2lAX6Q/6xzJi0y3HEwmZW1JQ
+IBTXobj8M0Q73eSbKuTZ2INZZOk3AMWW5ckiV97H2V//OlrihgARWCo1ve22GBk2
+GFaqpZB+8LDS4bCAeT3yXrECgYEA5rZ3USonLry5d2JOt5u7F+JNU+8xakErYMhC
+ZLzuQY6/oewOxBLuB1nn3CiBc0aRZTSnCFiTnkxFUBJmHe9AIXiz37wtmm9+yWSy
+0R27ORdHbiYGlQPcekP5fr7Jtw7VDHraKIHEQlWiKwix8dntVXe3luTHuRktuH2r
+XO0D/xUCgYEAlQtXyGSl/taUjKyfvfxlFDtpOwBAwUj2CsNzeUd2/5aWkqUrtYz8
+JNCPgSLPKDhLpavH0vUEmftF3uDVPxvMQ4JG9MQ7meHgL7AZmtKdU0VI+Av9xiJe
+d7A1x6o88gv1TqvGRit2qRxNOT0mzhDcXuR2EIQqUav45NyBokSo9xw=
+-----END RSA PRIVATE KEY-----
diff --git a/src/test/regression/tests/042.ssl_reload/server.req b/src/test/regression/tests/042.ssl_reload/server.req
new file mode 100644
index 000000000..fdfd5235d
--- /dev/null
+++ b/src/test/regression/tests/042.ssl_reload/server.req
@@ -0,0 +1,61 @@
+Certificate Request:
+ Data:
+ Version: 1 (0x0)
+ Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:f4:e3:30:f0:09:e2:43:0e:a1:67:2e:3b:ef:b5:
+ 88:1e:4e:a9:06:fa:f2:94:8b:fa:4f:0a:9f:e0:57:
+ 45:95:2c:c1:18:1d:21:6d:c8:5c:2a:05:94:0b:c6:
+ 49:c5:97:88:ac:88:ba:73:fb:81:28:eb:e1:cd:7f:
+ 9d:fb:e0:c5:0d:ef:35:cc:12:b8:74:0b:a1:e9:65:
+ d4:19:38:9b:a8:e1:c5:ef:d5:f1:9c:cf:8a:de:bf:
+ fa:d7:6c:f9:d7:85:10:db:9f:e9:03:e9:7e:f1:81:
+ de:9d:f3:b3:a3:6f:19:31:c8:bb:31:c0:e7:7d:ea:
+ 6b:02:98:21:7c:c2:f5:9d:0d:7c:85:2b:5d:81:7c:
+ 71:74:42:89:ab:5c:31:ac:19:fd:c2:0b:fb:e5:c2:
+ b2:54:15:64:40:9c:bf:ed:d2:b1:bb:75:f9:e9:d8:
+ 67:b3:4e:63:c4:3e:f4:8a:2c:87:50:27:dd:22:97:
+ f1:f7:26:49:87:03:55:08:a4:d2:44:21:e1:9a:33:
+ 82:96:09:b3:08:65:bc:a8:3a:f4:64:f3:60:62:d0:
+ 98:d9:82:0c:1b:be:b6:9c:22:e8:7f:e6:eb:20:d9:
+ 71:67:2c:d5:14:83:aa:f1:37:75:98:4c:68:1d:95:
+ fe:1f:ec:cb:9b:17:9c:f4:92:22:da:bb:78:46:f3:
+ de:7d
+ Exponent: 65537 (0x10001)
+ Attributes:
+ a0:00
+ Signature Algorithm: sha256WithRSAEncryption
+ 7a:30:69:6c:aa:30:6f:f3:bc:dc:85:78:04:ef:f6:0c:b2:04:
+ e7:03:55:fd:4a:98:74:d6:fd:24:a1:e9:e8:3d:e3:a1:b0:dc:
+ 12:b9:1f:38:fe:9e:42:5a:0c:06:b8:0c:f6:65:0b:78:95:73:
+ 27:31:14:e5:4d:4f:e2:82:3f:52:24:45:ba:31:e7:87:b7:c8:
+ b9:8a:db:5f:5e:fd:1a:f2:6c:7d:d6:d1:1d:19:77:5e:10:51:
+ d3:24:7f:5a:7d:3f:eb:db:33:0b:27:97:72:b9:f0:ea:89:79:
+ ca:b7:23:7c:c0:8a:e9:11:30:45:99:09:58:da:08:86:28:32:
+ 21:c0:3f:2e:87:3e:a4:96:55:f1:65:72:4f:06:0b:b3:a1:97:
+ 7d:54:6c:0d:96:b4:41:11:6e:28:45:cb:16:d7:1e:70:1e:a8:
+ a2:4e:7f:65:8e:71:e9:05:e2:ad:cc:9a:79:1d:73:39:e8:f0:
+ e8:f3:75:ab:bf:9d:44:7b:b7:76:3f:0d:50:e0:9c:ef:2c:d5:
+ eb:c3:0d:4f:c1:77:af:56:7e:78:db:e8:a0:52:05:f6:49:89:
+ ab:c0:ff:d6:97:9d:9d:84:14:12:73:ee:31:1d:12:ad:e7:91:
+ 8d:ac:ff:ee:8d:18:07:be:c8:ec:57:9d:78:41:9c:1e:a1:75:
+ 2b:99:f7:70
+-----BEGIN CERTIFICATE REQUEST-----
+MIICijCCAXICAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
+ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAPTjMPAJ4kMOoWcuO++1iB5OqQb68pSL+k8Kn+BX
+RZUswRgdIW3IXCoFlAvGScWXiKyIunP7gSjr4c1/nfvgxQ3vNcwSuHQLoell1Bk4
+m6jhxe/V8ZzPit6/+tds+deFENuf6QPpfvGB3p3zs6NvGTHIuzHA533qawKYIXzC
+9Z0NfIUrXYF8cXRCiatcMawZ/cIL++XCslQVZECcv+3Ssbt1+enYZ7NOY8Q+9Ios
+h1An3SKX8fcmSYcDVQik0kQh4ZozgpYJswhlvKg69GTzYGLQmNmCDBu+tpwi6H/m
+6yDZcWcs1RSDqvE3dZhMaB2V/h/sy5sXnPSSItq7eEbz3n0CAwEAAaAAMA0GCSqG
+SIb3DQEBCwUAA4IBAQB6MGlsqjBv87zchXgE7/YMsgTnA1X9Sph01v0koenoPeOh
+sNwSuR84/p5CWgwGuAz2ZQt4lXMnMRTlTU/igj9SJEW6MeeHt8i5ittfXv0a8mx9
+1tEdGXdeEFHTJH9afT/r2zMLJ5dyufDqiXnKtyN8wIrpETBFmQlY2giGKDIhwD8u
+hz6kllXxZXJPBguzoZd9VGwNlrRBEW4oRcsW1x5wHqiiTn9ljnHpBeKtzJp5HXM5
+6PDo83Wrv51Ee7d2Pw1Q4JzvLNXrww1PwXevVn542+igUgX2SYmrwP/Wl52dhBQS
+c+4xHRKt55GNrP/ujRgHvsjsV514QZweoXUrmfdw
+-----END CERTIFICATE REQUEST-----
diff --git a/src/test/regression/tests/042.ssl_reload/test.sh b/src/test/regression/tests/042.ssl_reload/test.sh
new file mode 100755
index 000000000..302216878
--- /dev/null
+++ b/src/test/regression/tests/042.ssl_reload/test.sh
@@ -0,0 +1,189 @@
+#!/usr/bin/env bash
+#-------------------------------------------------------------------
+# test script for SSL connection upon reloading for: frontend <--> Pgpool-II and Pgpool-II and PostgreSQL.
+#
+source $TESTLIBS
+TESTDIR=testdir
+PSQL=$PGBIN/psql
+PG_CTL=$PGBIN/pg_ctl
+export PGDATABASE=test
+SSL_KEY=server.key
+SSL_CRT=server.crt
+
+#-------------------------------------------
+# Check psql output for \conninfo to see if SSL enabled
+#-------------------------------------------
+function check_ssl {
+ $PSQL -h localhost test <<EOF > result
+\conninfo
+\q
+EOF
+
+ # PostgreSQL 18 or later prints tablular output for \conninfo.
+ # For SSL, "SSL Connection | true (or false)"
+ if [ $PGVERSION -ge 18 ];then
+ grep "SSL Connection" result|grep true
+ else
+ grep SSL result
+ fi
+}
+
+# ---------------------------------------------------------------
+# Test ssl configuration param.
+# params:
+# $1: configuration name. e.g. ssl_cert
+# $2: good value for the config
+#
+# This performs following tests:
+# 1. Set bad value to the config and restart pgpool to make sure SSL connection does not establish.
+# 2. Set good value to the config and reload to make sure SSL connection establishes.
+# If test fails, exit with status 1
+function test_ssl {
+ # set bad value
+ echo "$1 = 'bad_value'" >> etc/pgpool.conf
+ # restart pgpool
+ ./startall
+ wait_for_pgpool_startup
+ check_ssl
+ if [ $? = 0 ];then
+ echo "Checking SSL connection between frontend and Pgpool-II succeeded despite bad config value for $1"
+ ./shutdownall
+ exit 1
+ fi
+ echo "Checking SSL connection between frontend and Pgpool-II failed due to bad config value for $1 as expected."
+
+ # Make sure that SSL connection succeeds with good config value
+ echo "$1 = '$2'" >> etc/pgpool.conf
+ ./pgpool_reload
+ sleep 1
+ check_ssl
+ if [ $? = 0 ];then
+ echo "Checking SSL connection between frontend and Pgpool-II succeeded with good $1"
+ else
+ echo "Checking SSL connection between frontend and Pgpool-II failed with good $1"
+ ./shutdownall
+ exit 1
+ fi
+ ./shutdownall
+}
+
+# main script starts here
+rm -fr $TESTDIR
+mkdir $TESTDIR
+cd $TESTDIR
+
+# create test environment. Number of backend node is 1 is enough.
+echo -n "creating test environment..."
+$PGPOOL_SETUP -m s -n 1 || exit 1
+echo "done."
+
+# setup SSL key and crt file
+cp -p ../$SSL_KEY etc/
+chmod og-rwx etc/$SSL_KEY
+cp -p ../$SSL_CRT etc/
+cp -p ../$SSL_KEY data0/
+chmod og-rwx data0/$SSL_KEY
+cp -p ../$SSL_CRT data0/
+
+# enable SSL support
+dir=`pwd`
+
+echo "ssl = on" >> etc/pgpool.conf
+echo "ssl_key = '$SSL_KEY'" >> etc/pgpool.conf
+echo "ssl_cert = '$SSL_CRT'" >> etc/pgpool.conf
+echo "ssl_prefer_server_ciphers = on" >> etc/pgpool.conf
+echo "ssl_ciphers = 'EECDH:HIGH:MEDIUM:+3DES:!aNULL'" >> etc/pgpool.conf
+
+echo "ssl = on" >> data0/postgresql.conf
+echo "ssl_cert_file = '$SSL_CRT'" >> data0/postgresql.conf
+echo "ssl_key_file = '$SSL_KEY'" >> data0/postgresql.conf
+
+# backend must be connected via TCP/IP
+echo "backend_hostname0 = 'localhost'" >> etc/pgpool.conf
+
+# produce debug message since the only way to confirm the SSL
+# connections is being established is, look into the debug log.
+echo "log_min_messages = debug5" >> etc/pgpool.conf
+
+# allow to access IPv6 localhost
+echo "host all all ::1/128 trust" >> data0/pg_hba.conf
+
+source ./bashrc.ports
+
+./startall
+
+export PGPORT=$PGPOOL_PORT
+
+wait_for_pgpool_startup
+
+# first, checking frontend<-->Pgpool-II...
+check_ssl
+if [ $? != 0 ];then
+ echo "Checking SSL connection between frontend and Pgpool-II failed."
+ ./shutdownall
+ exit 1
+fi
+echo "Checking SSL connection between frontend and Pgpool-II was ok."
+
+if [ $PGVERSION -ge 18 ];then
+ grep "SSL Protocol" result|grep TLSv1.2
+else
+ grep SSL result |grep TLSv1.2
+fi
+
+# if SSl protocol version TLSv1.2
+if [ $? = 0 ];then
+ grep SSL result |grep ECDH
+
+ if [ $? != 0 ];then
+ echo "Checking SSL connection with ECDH between frontend and Pgpool-II failed."
+ ./shutdownall
+ exit 1
+ fi
+ echo "Checking SSL connection with ECDH between frontend and Pgpool-II was ok."
+fi
+
+grep "client->server SSL response: S" log/pgpool.log >/dev/null
+if [ $? != 0 ];then
+ echo "Checking SSL connection between Pgpool-II and backend failed."
+ ./shutdownall
+ exit 1
+fi
+echo "Checking SSL connection between Pgpool-II and backend was ok."
+
+# So far SSL connection between clients and Pgpool-II, Pgpool-II and backend are ok.
+
+./shutdownall
+
+# ---------------------------------------------------------------
+# Test SSL params
+
+config_names[0]=ssl_cert
+config_names[1]=ssl_ciphers
+config_names[2]=ssl_crl_file
+config_names[3]=ssl_dh_params_file # ssl_dh_params_file can be a invalid file (fallback mechanism)
+config_names[4]=ssl_ecdh_curve
+config_names[5]=ssl_key
+config_names[6]=ssl_passphrase_command # cert does not require pass passphrase
+config_names[7]=ssl_prefer_server_ciphers # this affects server side ciphers
+
+good_values[0]=server.crt
+good_values[1]=HIGH:MEDIUM:+3DES:!aNULL
+good_values[2]=""
+good_values[3]=skip
+good_values[4]=prime256v1
+good_values[5]=server.key
+good_values[6]=skip
+good_values[7]=skip
+
+for i in {0..7}
+do
+ echo "===== ${config_names[$i]} ====="
+ if [ "${good_values[$i]}" = "skip" ];then
+ echo "skip this test"
+ else
+ test_ssl ${config_names[$i]} ${good_values[$i]}
+ fi
+done
+./shutdownall
+exit 0
--
2.43.0
^ permalink raw reply [nested|flat] 21+ messages in thread
* Rotate SSL certificates on reload (SIGHUP) without restart
2025-10-23 05:02 Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2025-10-24 04:44 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-16 09:20 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-19 10:22 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-25 11:04 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-26 08:07 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-26 10:19 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-27 18:16 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-31 09:48 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-31 09:53 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-04-01 09:05 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
@ 2026-04-02 19:57 ` Bob Ross <[email protected]>
2026-04-13 07:28 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
0 siblings, 1 reply; 21+ messages in thread
From: Bob Ross @ 2026-04-02 19:57 UTC (permalink / raw)
To: Tatsuo Ishii <[email protected]>; +Cc: [email protected] <[email protected]>
Hi Tatsuo,
Thanks for putting together the regression tests.
Thoughts on your questions:
- CA Certificates - Yes, adding a cert auth test is highly recommended. We
could test this by generating two different dummy CA certificates. Start
pgpool trusting CA #1, swap the config to CA #2, reload and verify if
client connection correctly gets rejected.
- DH parameters - perhaps we can test this by providing a non-existent file
path and then use grep to check pgpool.log for specific warning message
(per pool_ssl.c it’s “DH: could not load DH parameters”) when pgpool tries
to load the file.
Regards,
Bob
On Wednesday, April 1, 2026, Tatsuo Ishii <[email protected]> wrote:
> Hi Bob,
>
> > Hi Tatsuo,
> >
> > Thanks for double-checking! Please feel free to go ahead and write the
> > regression tests if you're up for it. I'd really appreciate the help.
>
> I have written the first version of the regression test. This test
> performs:
>
> 1. Set bad value (fixed string "bad_value") to a config param and
> restart pgpool so that SSL connection does not establish between
> client and pgpool.
>
> 2. Set good value to the config and reload pgpool so that SSL
> connection establishes.
>
> The test is run against:
> ssl_cert
> ssl_ciphers
> ssl_crl_file
> ssl_ecdh_curve
> ssl_key
>
> It does not test ssl_ca_cert and ssl_ca_cert_dir because the test is
> based on 023.ssl_connection which does not check cert auth. Should we
> test cert auth as well?
>
> Also this does not test followings:
>
> - ssl_dh_params_file
> If bad value is set to the parameter, it falls back to a builtin
> value. So it is not possible to set a bad value to the parameter.
> Do you have an idea to test this?
>
> - ssl_passphrase_command
> Our cert does not require pass passphrase.
>
> - ssl_prefer_server_ciphers
> This only affects server side (backend) ciphers. The test only tests
> SSL connection between client and pgpool.
>
> Attached is the v1 patch including your patch (I have remove "-----"
> from your commit message. Otherwise the commit message cuts in the
> middle) and the test script.
> What do you think?
>
> Regards,
> --
> Tatsuo Ishii
> SRA OSS K.K.
> English: http://www.sraoss.co.jp/index_en/
> Japanese:http://www.sraoss.co.jp
>
^ permalink raw reply [nested|flat] 21+ messages in thread
* Re: Rotate SSL certificates on reload (SIGHUP) without restart
2025-10-23 05:02 Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2025-10-24 04:44 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-16 09:20 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-19 10:22 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-25 11:04 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-26 08:07 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-26 10:19 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-27 18:16 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-31 09:48 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-31 09:53 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-04-01 09:05 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-04-02 19:57 ` Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
@ 2026-04-13 07:28 ` Bob Ross <[email protected]>
2026-04-14 08:01 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
0 siblings, 1 reply; 21+ messages in thread
From: Bob Ross @ 2026-04-13 07:28 UTC (permalink / raw)
To: Tatsuo Ishii <[email protected]>; +Cc: [email protected] <[email protected]>
Hi Tatsuo,
Please let me know if you need any assistance with updating your test
cases. I am be happy to help.
Thanks,
Bob
On Thu, Apr 2, 2026 at 9:57 PM Bob Ross <[email protected]> wrote:
> Hi Tatsuo,
>
> Thanks for putting together the regression tests.
>
> Thoughts on your questions:
> - CA Certificates - Yes, adding a cert auth test is highly recommended. We
> could test this by generating two different dummy CA certificates. Start
> pgpool trusting CA #1, swap the config to CA #2, reload and verify if
> client connection correctly gets rejected.
> - DH parameters - perhaps we can test this by providing a non-existent
> file path and then use grep to check pgpool.log for specific warning
> message (per pool_ssl.c it’s “DH: could not load DH parameters”) when
> pgpool tries to load the file.
>
> Regards,
> Bob
>
>
> On Wednesday, April 1, 2026, Tatsuo Ishii <[email protected]> wrote:
>
>> Hi Bob,
>>
>> > Hi Tatsuo,
>> >
>> > Thanks for double-checking! Please feel free to go ahead and write the
>> > regression tests if you're up for it. I'd really appreciate the help.
>>
>> I have written the first version of the regression test. This test
>> performs:
>>
>> 1. Set bad value (fixed string "bad_value") to a config param and
>> restart pgpool so that SSL connection does not establish between
>> client and pgpool.
>>
>> 2. Set good value to the config and reload pgpool so that SSL
>> connection establishes.
>>
>> The test is run against:
>> ssl_cert
>> ssl_ciphers
>> ssl_crl_file
>> ssl_ecdh_curve
>> ssl_key
>>
>> It does not test ssl_ca_cert and ssl_ca_cert_dir because the test is
>> based on 023.ssl_connection which does not check cert auth. Should we
>> test cert auth as well?
>>
>> Also this does not test followings:
>>
>> - ssl_dh_params_file
>> If bad value is set to the parameter, it falls back to a builtin
>> value. So it is not possible to set a bad value to the parameter.
>> Do you have an idea to test this?
>>
>> - ssl_passphrase_command
>> Our cert does not require pass passphrase.
>>
>> - ssl_prefer_server_ciphers
>> This only affects server side (backend) ciphers. The test only tests
>> SSL connection between client and pgpool.
>>
>> Attached is the v1 patch including your patch (I have remove "-----"
>> from your commit message. Otherwise the commit message cuts in the
>> middle) and the test script.
>> What do you think?
>>
>> Regards,
>> --
>> Tatsuo Ishii
>> SRA OSS K.K.
>> English: http://www.sraoss.co.jp/index_en/
>> Japanese:http://www.sraoss.co.jp
>>
>
^ permalink raw reply [nested|flat] 21+ messages in thread
* Re: Rotate SSL certificates on reload (SIGHUP) without restart
2025-10-23 05:02 Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2025-10-24 04:44 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-16 09:20 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-19 10:22 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-25 11:04 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-26 08:07 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-26 10:19 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-27 18:16 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-31 09:48 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-31 09:53 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-04-01 09:05 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-04-02 19:57 ` Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-04-13 07:28 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
@ 2026-04-14 08:01 ` Tatsuo Ishii <[email protected]>
2026-04-15 06:36 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
0 siblings, 1 reply; 21+ messages in thread
From: Tatsuo Ishii @ 2026-04-14 08:01 UTC (permalink / raw)
To: [email protected]; +Cc: [email protected]
Hi Bob,
> Hi Tatsuo,
>
> Please let me know if you need any assistance with updating your test
> cases. I am be happy to help.
>
> Thanks,
> Bob
Sorry for late. I was busy with personal affairs and some other
projects.
> On Thu, Apr 2, 2026 at 9:57 PM Bob Ross <[email protected]> wrote:
>
>> Hi Tatsuo,
>>
>> Thanks for putting together the regression tests.
>>
>> Thoughts on your questions:
>> - CA Certificates - Yes, adding a cert auth test is highly recommended. We
>> could test this by generating two different dummy CA certificates. Start
>> pgpool trusting CA #1, swap the config to CA #2, reload and verify if
>> client connection correctly gets rejected.
If you could extend the test file I posted so that it performs a cert
auth test, that would be helpful.
>> - DH parameters - perhaps we can test this by providing a non-existent
>> file path and then use grep to check pgpool.log for specific warning
>> message (per pool_ssl.c it’s “DH: could not load DH parameters”) when
>> pgpool tries to load the file.
I think it will not work.
===================================================================
static bool
initialize_dh(SSL_CTX *context)
{
DH *dh = NULL;
SSL_CTX_set_options(context, SSL_OP_SINGLE_DH_USE);
if (pool_config->ssl_dh_params_file[0])
dh = load_dh_file(pool_config->ssl_dh_params_file);
if (!dh)
dh = load_dh_buffer(FILE_DH2048, sizeof(FILE_DH2048));
if (!dh)
{
ereport(WARNING,
(errmsg("DH: could not load DH parameters")));
return false;
}
:
:
===================================================================
The ereport message is printed when the built-in DH parameter file is
broken. But as long as the source file is fine, it would never happen.
Maybe we should fix the code above so that it emits ereport when it
fails to load the DH parameter file specified by ssl_dh_params_file?
Regards,
--
Tatsuo Ishii
SRA OSS K.K.
English: http://www.sraoss.co.jp/index_en/
Japanese:http://www.sraoss.co.jp
^ permalink raw reply [nested|flat] 21+ messages in thread
* Re: Rotate SSL certificates on reload (SIGHUP) without restart
2025-10-23 05:02 Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2025-10-24 04:44 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-16 09:20 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-19 10:22 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-25 11:04 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-26 08:07 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-26 10:19 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-27 18:16 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-31 09:48 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-31 09:53 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-04-01 09:05 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-04-02 19:57 ` Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-04-13 07:28 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-04-14 08:01 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
@ 2026-04-15 06:36 ` Bob Ross <[email protected]>
2026-04-16 10:31 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
0 siblings, 1 reply; 21+ messages in thread
From: Bob Ross @ 2026-04-15 06:36 UTC (permalink / raw)
To: Tatsuo Ishii <[email protected]>; +Cc: [email protected]
Hi Tatsuo,
Please see attached v2. It adds regression coverage for SSL cert reload
with client certificate authentication; there are no functional code
changes.
Best regards,
Bob
On Tue, Apr 14, 2026 at 10:02 AM Tatsuo Ishii <[email protected]> wrote:
> Hi Bob,
>
> > Hi Tatsuo,
> >
> > Please let me know if you need any assistance with updating your test
> > cases. I am be happy to help.
> >
> > Thanks,
> > Bob
>
> Sorry for late. I was busy with personal affairs and some other
> projects.
>
> > On Thu, Apr 2, 2026 at 9:57 PM Bob Ross <[email protected]>
> wrote:
> >
> >> Hi Tatsuo,
> >>
> >> Thanks for putting together the regression tests.
> >>
> >> Thoughts on your questions:
> >> - CA Certificates - Yes, adding a cert auth test is highly recommended.
> We
> >> could test this by generating two different dummy CA certificates. Start
> >> pgpool trusting CA #1, swap the config to CA #2, reload and verify if
> >> client connection correctly gets rejected.
>
> If you could extend the test file I posted so that it performs a cert
> auth test, that would be helpful.
>
> >> - DH parameters - perhaps we can test this by providing a non-existent
> >> file path and then use grep to check pgpool.log for specific warning
> >> message (per pool_ssl.c it’s “DH: could not load DH parameters”) when
> >> pgpool tries to load the file.
>
> I think it will not work.
>
> ===================================================================
> static bool
> initialize_dh(SSL_CTX *context)
> {
> DH *dh = NULL;
>
> SSL_CTX_set_options(context, SSL_OP_SINGLE_DH_USE);
>
> if (pool_config->ssl_dh_params_file[0])
> dh = load_dh_file(pool_config->ssl_dh_params_file);
> if (!dh)
> dh = load_dh_buffer(FILE_DH2048, sizeof(FILE_DH2048));
> if (!dh)
> {
> ereport(WARNING,
> (errmsg("DH: could not load DH
> parameters")));
> return false;
> }
> :
> :
> ===================================================================
>
> The ereport message is printed when the built-in DH parameter file is
> broken. But as long as the source file is fine, it would never happen.
>
> Maybe we should fix the code above so that it emits ereport when it
> fails to load the DH parameter file specified by ssl_dh_params_file?
>
> Regards,
> --
> Tatsuo Ishii
> SRA OSS K.K.
> English: http://www.sraoss.co.jp/index_en/
> Japanese:http://www.sraoss.co.jp
>
Attachments:
[application/octet-stream] v2-0001-Feature-reload-SSL-certificates-on-SIGHUP-without.patch (26.9K, 3-v2-0001-Feature-reload-SSL-certificates-on-SIGHUP-without.patch)
download | inline diff:
From c97fc6e9d4acb3f5071e473db3b34577f2498d59 Mon Sep 17 00:00:00 2001
From: Bob Ross <[email protected]>
Date: Wed, 15 Apr 2026 00:00:00 +0000
Subject: [PATCH v2] Feature: reload SSL certificates on SIGHUP without restart
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Allow Pgpool-II to pick up rotated TLS certificates (and any change to
SSL-related configuration) when receiving SIGHUP (i.e. systemctl reload
pgpool2), matching the behavior PostgreSQL has had since PostgreSQL 12.
Problem:
All SSL configuration parameters (ssl_cert, ssl_key, ssl_ca_cert,
ssl_ciphers, etc.) were declared CFGCXT_INIT, meaning they were silently
ignored when pool_get_config() was called under CFGCXT_RELOAD.
Furthermore, SSL_ServerSide_init() was only called once at startup in
main.c and never again, so the in-memory SSL_CTX was never refreshed.
Fix:
1. src/main/pgpool_main.c
- Include utils/pool_ssl.h.
- In reload_config(), call SSL_ServerSide_init() (guarded by
#ifdef USE_SSL) *before* kill_all_children(SIGHUP). The function
already replaces SSL_frontend_context atomically: it frees the old
SSL_CTX only after a new one has been created successfully, so a
failed reload leaves the existing context intact.
2. src/protocol/child.c
- In check_config_reload(), call SSL_ServerSide_init() (guarded by
#ifdef USE_SSL) so each worker child also refreshes its own copy of
the SSL context for subsequent new connections. In-flight TLS
sessions are unaffected because they hold a direct reference to the
SSL object, not to SSL_frontend_context.
3. src/config/pool_config_variables.c
- Change CFGCXT_INIT -> CFGCXT_RELOAD for:
ssl_prefer_server_ciphers, ssl_cert, ssl_key, ssl_ca_cert,
ssl_ca_cert_dir, ssl_crl_file, ssl_ciphers, ssl_ecdh_curve,
ssl_dh_params_file, ssl_passphrase_command.
- The 'ssl' boolean (master enable flag) is intentionally left as
CFGCXT_INIT because dynamically enabling SSL at runtime is a
larger, separate concern.
Usage after this change:
Standard in-place certificate rotation (cert-manager, ACME, manual
openssl refresh at the same path):
# replace /etc/pgpool/server.{crt,key} with new files
systemctl reload pgpool2
# or: pgpool -f /etc/pgpool/pgpool.conf reload
New connections will use the new certificates after workers process
the reload signal. Existing connections are not interrupted.
Switching to a different certificate path also works: update
pgpool.conf then reload — the new paths are now accepted in
CFGCXT_RELOAD context.
Author: Bob Ross <[email protected]>
Reviewed-by: Tatsuo Ishii <[email protected]>
Discussion: https://www.postgresql.org/message-id/flat/CAHtZvrddqfbnERYY_DqgURWCjuXeTjM0y08k-ZP_B0bAHYx2ag%40mail.gmail.com
---
src/config/pool_config_variables.c | 20 +-
src/main/pgpool_main.c | 17 ++
src/protocol/child.c | 11 +
.../regression/tests/042.ssl_reload/README | 6 +
.../tests/042.ssl_reload/server.crt | 79 ++++++++
.../tests/042.ssl_reload/server.key | 27 +++
.../tests/042.ssl_reload/server.req | 61 ++++++
.../regression/tests/042.ssl_reload/test.sh | 257 ++++++++++++++++++++++++
8 files changed, 400 insertions(+), 10 deletions(-)
create mode 100644 src/test/regression/tests/042.ssl_reload/README
create mode 100644 src/test/regression/tests/042.ssl_reload/server.crt
create mode 100644 src/test/regression/tests/042.ssl_reload/server.key
create mode 100644 src/test/regression/tests/042.ssl_reload/server.req
create mode 100755 src/test/regression/tests/042.ssl_reload/test.sh
diff --git a/src/config/pool_config_variables.c b/src/config/pool_config_variables.c
index ce13c42f6..ca40c341a 100644
--- a/src/config/pool_config_variables.c
+++ b/src/config/pool_config_variables.c
@@ -705,7 +705,7 @@ static struct config_bool ConfigureNamesBool[] =
},
{
- {"ssl_prefer_server_ciphers", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_prefer_server_ciphers", CFGCXT_RELOAD, SSL_CONFIG,
"Use server's SSL cipher preferences, rather than the client's",
CONFIG_VAR_TYPE_BOOL, false, 0
},
@@ -1271,7 +1271,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_cert", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_cert", CFGCXT_RELOAD, SSL_CONFIG,
"SSL public certificate file.",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1281,7 +1281,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_key", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_key", CFGCXT_RELOAD, SSL_CONFIG,
"SSL private key file.",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1291,7 +1291,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_ca_cert", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_ca_cert", CFGCXT_RELOAD, SSL_CONFIG,
"Single PEM format file containing CA root certificate(s).",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1301,7 +1301,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_ca_cert_dir", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_ca_cert_dir", CFGCXT_RELOAD, SSL_CONFIG,
"Directory containing CA root certificate(s).",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1311,7 +1311,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_crl_file", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_crl_file", CFGCXT_RELOAD, SSL_CONFIG,
"SSL certificate revocation list file",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1321,7 +1321,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_ciphers", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_ciphers", CFGCXT_RELOAD, SSL_CONFIG,
"Allowed SSL ciphers.",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1331,7 +1331,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_ecdh_curve", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_ecdh_curve", CFGCXT_RELOAD, SSL_CONFIG,
"The curve to use in ECDH key exchange.",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1341,7 +1341,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_dh_params_file", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_dh_params_file", CFGCXT_RELOAD, SSL_CONFIG,
"Path to the Diffie-Hellman parameters contained file",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1351,7 +1351,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_passphrase_command", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_passphrase_command", CFGCXT_RELOAD, SSL_CONFIG,
"Path to the Diffie-Hellman parameters contained file",
CONFIG_VAR_TYPE_STRING, false, 0
},
diff --git a/src/main/pgpool_main.c b/src/main/pgpool_main.c
index bf7c452e2..0a9c92826 100644
--- a/src/main/pgpool_main.c
+++ b/src/main/pgpool_main.c
@@ -61,6 +61,7 @@
#include "watchdog/wd_lifecheck.h"
#include "watchdog/watchdog.h"
#include "pcp/pcp_worker.h"
+#include "utils/pool_ssl.h"
#include <grp.h>
/*
@@ -3489,6 +3490,22 @@ reload_config(void)
if (pool_config->enable_pool_hba)
load_hba(hba_file);
+#ifdef USE_SSL
+ /*
+ * If SSL is enabled, re-initialize the SSL context so that new
+ * connections pick up rotated certificates without requiring a restart.
+ * SSL_ServerSide_init() is safe to call repeatedly: it frees and replaces
+ * the existing SSL_CTX only on success, leaving the old context intact on
+ * failure.
+ */
+ if (pool_config->ssl)
+ {
+ ereport(LOG,
+ (errmsg("reload SSL certificates.")));
+ SSL_ServerSide_init();
+ }
+#endif /* USE_SSL */
+
kill_all_children(SIGHUP);
}
diff --git a/src/protocol/child.c b/src/protocol/child.c
index c34f05728..713bfe28f 100644
--- a/src/protocol/child.c
+++ b/src/protocol/child.c
@@ -1796,6 +1796,17 @@ check_config_reload(void)
if (strcmp("", pool_config->pool_passwd))
pool_reopen_passwd_file();
+#ifdef USE_SSL
+ /*
+ * Re-initialize the frontend SSL context so this child process
+ * serves new connections with any rotated certificates without a
+ * restart. In-flight TLS sessions are unaffected; they hold a
+ * direct reference to the old SSL object.
+ */
+ if (pool_config->ssl)
+ SSL_ServerSide_init();
+#endif /* USE_SSL */
+
got_sighup = 0;
}
}
diff --git a/src/test/regression/tests/042.ssl_reload/README b/src/test/regression/tests/042.ssl_reload/README
new file mode 100644
index 000000000..c73cf0bd3
--- /dev/null
+++ b/src/test/regression/tests/042.ssl_reload/README
@@ -0,0 +1,6 @@
+The sample server.key and server.crt was created by using following commands:
+
+openssl req -new -text -out server.req
+openssl rsa -in privkey.pem -out server.key
+rm privkey.pem
+openssl req -x509 -days 3650 -in server.req -text -key server.key -out server.crt
diff --git a/src/test/regression/tests/042.ssl_reload/server.crt b/src/test/regression/tests/042.ssl_reload/server.crt
new file mode 100644
index 000000000..90d5e08e7
--- /dev/null
+++ b/src/test/regression/tests/042.ssl_reload/server.crt
@@ -0,0 +1,79 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ f4:86:4a:aa:50:42:63:dc
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
+ Validity
+ Not Before: Aug 29 02:52:36 2018 GMT
+ Not After : Aug 26 02:52:36 2028 GMT
+ Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:f4:e3:30:f0:09:e2:43:0e:a1:67:2e:3b:ef:b5:
+ 88:1e:4e:a9:06:fa:f2:94:8b:fa:4f:0a:9f:e0:57:
+ 45:95:2c:c1:18:1d:21:6d:c8:5c:2a:05:94:0b:c6:
+ 49:c5:97:88:ac:88:ba:73:fb:81:28:eb:e1:cd:7f:
+ 9d:fb:e0:c5:0d:ef:35:cc:12:b8:74:0b:a1:e9:65:
+ d4:19:38:9b:a8:e1:c5:ef:d5:f1:9c:cf:8a:de:bf:
+ fa:d7:6c:f9:d7:85:10:db:9f:e9:03:e9:7e:f1:81:
+ de:9d:f3:b3:a3:6f:19:31:c8:bb:31:c0:e7:7d:ea:
+ 6b:02:98:21:7c:c2:f5:9d:0d:7c:85:2b:5d:81:7c:
+ 71:74:42:89:ab:5c:31:ac:19:fd:c2:0b:fb:e5:c2:
+ b2:54:15:64:40:9c:bf:ed:d2:b1:bb:75:f9:e9:d8:
+ 67:b3:4e:63:c4:3e:f4:8a:2c:87:50:27:dd:22:97:
+ f1:f7:26:49:87:03:55:08:a4:d2:44:21:e1:9a:33:
+ 82:96:09:b3:08:65:bc:a8:3a:f4:64:f3:60:62:d0:
+ 98:d9:82:0c:1b:be:b6:9c:22:e8:7f:e6:eb:20:d9:
+ 71:67:2c:d5:14:83:aa:f1:37:75:98:4c:68:1d:95:
+ fe:1f:ec:cb:9b:17:9c:f4:92:22:da:bb:78:46:f3:
+ de:7d
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Key Identifier:
+ 68:ED:A7:FE:1E:36:26:18:80:2B:C6:A2:07:23:1C:A4:00:57:16:68
+ X509v3 Authority Key Identifier:
+ keyid:68:ED:A7:FE:1E:36:26:18:80:2B:C6:A2:07:23:1C:A4:00:57:16:68
+
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ Signature Algorithm: sha256WithRSAEncryption
+ dd:61:62:83:6e:fa:e8:8a:1b:02:c6:9f:7f:f3:52:f8:04:5c:
+ c9:35:f9:4c:1d:4f:0f:9f:6c:a2:18:95:f0:76:93:e5:99:58:
+ 4a:88:7a:54:68:cf:28:64:8e:01:3f:fb:7e:28:6f:ad:c6:08:
+ a2:09:77:4c:13:4b:1d:68:70:38:91:d4:dc:f7:c3:c8:81:36:
+ 48:b9:01:46:f9:fa:e8:f7:ba:fe:23:4c:e3:27:a9:58:2d:a6:
+ 3d:88:ac:b8:71:9b:84:ec:bd:82:c4:45:1d:ba:77:ed:73:54:
+ a9:16:76:80:40:0b:80:42:47:60:84:cf:41:e0:0f:8e:85:d3:
+ 28:36:fb:f6:8c:f8:c6:20:b3:c4:06:cc:2d:6d:37:78:b4:d5:
+ 4d:14:db:f0:04:56:66:d8:5a:cc:ff:bd:0c:19:6d:39:bf:26:
+ ac:17:0c:91:a4:68:4b:bc:86:4f:0a:10:81:b5:ac:1e:a6:78:
+ b1:7f:e9:f3:9e:1b:32:92:b2:8f:f7:e2:a3:ae:44:e2:99:b0:
+ 04:0a:15:eb:7a:37:10:b2:7b:ef:35:6c:a5:db:13:96:42:e9:
+ 22:3c:72:6a:34:16:0d:b5:2c:49:f3:83:c7:ff:da:ec:57:14:
+ ab:0d:8d:76:8f:f0:a2:21:4f:88:54:bc:2f:c6:b9:7b:8c:da:
+ 42:9a:b1:12
+-----BEGIN CERTIFICATE-----
+MIIDYDCCAkigAwIBAgIJAPSGSqpQQmPcMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQwHhcNMTgwODI5MDI1MjM2WhcNMjgwODI2MDI1MjM2WjBF
+MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
+ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEA9OMw8AniQw6hZy4777WIHk6pBvrylIv6Twqf4FdFlSzBGB0hbchcKgWU
+C8ZJxZeIrIi6c/uBKOvhzX+d++DFDe81zBK4dAuh6WXUGTibqOHF79XxnM+K3r/6
+12z514UQ25/pA+l+8YHenfOzo28ZMci7McDnfeprApghfML1nQ18hStdgXxxdEKJ
+q1wxrBn9wgv75cKyVBVkQJy/7dKxu3X56dhns05jxD70iiyHUCfdIpfx9yZJhwNV
+CKTSRCHhmjOClgmzCGW8qDr0ZPNgYtCY2YIMG762nCLof+brINlxZyzVFIOq8Td1
+mExoHZX+H+zLmxec9JIi2rt4RvPefQIDAQABo1MwUTAdBgNVHQ4EFgQUaO2n/h42
+JhiAK8aiByMcpABXFmgwHwYDVR0jBBgwFoAUaO2n/h42JhiAK8aiByMcpABXFmgw
+DwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEA3WFig2766IobAsaf
+f/NS+ARcyTX5TB1PD59sohiV8HaT5ZlYSoh6VGjPKGSOAT/7fihvrcYIogl3TBNL
+HWhwOJHU3PfDyIE2SLkBRvn66Pe6/iNM4yepWC2mPYisuHGbhOy9gsRFHbp37XNU
+qRZ2gEALgEJHYITPQeAPjoXTKDb79oz4xiCzxAbMLW03eLTVTRTb8ARWZthazP+9
+DBltOb8mrBcMkaRoS7yGTwoQgbWsHqZ4sX/p854bMpKyj/fio65E4pmwBAoV63o3
+ELJ77zVspdsTlkLpIjxyajQWDbUsSfODx//a7FcUqw2Ndo/woiFPiFS8L8a5e4za
+QpqxEg==
+-----END CERTIFICATE-----
diff --git a/src/test/regression/tests/042.ssl_reload/server.key b/src/test/regression/tests/042.ssl_reload/server.key
new file mode 100644
index 000000000..0ddd69303
--- /dev/null
+++ b/src/test/regression/tests/042.ssl_reload/server.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA9OMw8AniQw6hZy4777WIHk6pBvrylIv6Twqf4FdFlSzBGB0h
+bchcKgWUC8ZJxZeIrIi6c/uBKOvhzX+d++DFDe81zBK4dAuh6WXUGTibqOHF79Xx
+nM+K3r/612z514UQ25/pA+l+8YHenfOzo28ZMci7McDnfeprApghfML1nQ18hStd
+gXxxdEKJq1wxrBn9wgv75cKyVBVkQJy/7dKxu3X56dhns05jxD70iiyHUCfdIpfx
+9yZJhwNVCKTSRCHhmjOClgmzCGW8qDr0ZPNgYtCY2YIMG762nCLof+brINlxZyzV
+FIOq8Td1mExoHZX+H+zLmxec9JIi2rt4RvPefQIDAQABAoIBAD6EfaraKxxJcOUh
+hYWlx3FNTZONnz5TGfzxzmz8erQhr84TKcSYIQdNU0VKQu0hyW+anFcdvxSOW6AV
+02RJNqVfC1Hk+ZgOnDA0odgqfnq34MtgyATrax2Az24N0R63Rt16zocEJjdLm2Sh
+oZu4sirmfvutrquTm+wWoH30W7XTCrd17thq8+5VBumXLW4sr40PWXcfPC1Od7JH
+utYZ0lGxr89fhuPpnpLw7V67EdslwmYl8avhzrUlzkXPqufZ33XdWFi/IXoNjMZ2
+MFgZFNKHv682nqjrrodyn4iXEzMSj4z4QLTNxoH79HWvCb2HjUpEWTNrfdu3LNCZ
+FahqHmECgYEA/5MmEEB2GNlhaMP+NMK/3x9RCfDfleqEdExf0KA6TuISNYUgeEeB
+dfczCN8WtxyDMor6fvwINxEAHX64/CompE/ya+Z25VdBQMcLpNVGS01aDdrqWN5B
+4qG8OyK3+eAjCnvyCzWsvvpK1I5u65q6+Q+Cw1wQaxYzhsZkEazQ0OkCgYEA9Ut9
+m74RMGudjkvJK7JIPLDLGEsko+yrh8IuoGn/wLpUJwmkZFQu8HRqdddMVjwQi4CN
+IDScbvyH0uE2yN+gg/BB0eBIyhfrI3xl6FJIQBnI0/7wmb2U82OT0LS18h9n8dAK
++mONcR3zL7XDe8xy1qTS0jjd1QT1QS4YLGPCxHUCgYEAowftCgT00NkqaDhOWr24
+w84oVd0P44QcRkvJ+z2atGNGFln74n5KuUOdjJUy2lAX6Q/6xzJi0y3HEwmZW1JQ
+IBTXobj8M0Q73eSbKuTZ2INZZOk3AMWW5ckiV97H2V//OlrihgARWCo1ve22GBk2
+GFaqpZB+8LDS4bCAeT3yXrECgYEA5rZ3USonLry5d2JOt5u7F+JNU+8xakErYMhC
+ZLzuQY6/oewOxBLuB1nn3CiBc0aRZTSnCFiTnkxFUBJmHe9AIXiz37wtmm9+yWSy
+0R27ORdHbiYGlQPcekP5fr7Jtw7VDHraKIHEQlWiKwix8dntVXe3luTHuRktuH2r
+XO0D/xUCgYEAlQtXyGSl/taUjKyfvfxlFDtpOwBAwUj2CsNzeUd2/5aWkqUrtYz8
+JNCPgSLPKDhLpavH0vUEmftF3uDVPxvMQ4JG9MQ7meHgL7AZmtKdU0VI+Av9xiJe
+d7A1x6o88gv1TqvGRit2qRxNOT0mzhDcXuR2EIQqUav45NyBokSo9xw=
+-----END RSA PRIVATE KEY-----
diff --git a/src/test/regression/tests/042.ssl_reload/server.req b/src/test/regression/tests/042.ssl_reload/server.req
new file mode 100644
index 000000000..fdfd5235d
--- /dev/null
+++ b/src/test/regression/tests/042.ssl_reload/server.req
@@ -0,0 +1,61 @@
+Certificate Request:
+ Data:
+ Version: 1 (0x0)
+ Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:f4:e3:30:f0:09:e2:43:0e:a1:67:2e:3b:ef:b5:
+ 88:1e:4e:a9:06:fa:f2:94:8b:fa:4f:0a:9f:e0:57:
+ 45:95:2c:c1:18:1d:21:6d:c8:5c:2a:05:94:0b:c6:
+ 49:c5:97:88:ac:88:ba:73:fb:81:28:eb:e1:cd:7f:
+ 9d:fb:e0:c5:0d:ef:35:cc:12:b8:74:0b:a1:e9:65:
+ d4:19:38:9b:a8:e1:c5:ef:d5:f1:9c:cf:8a:de:bf:
+ fa:d7:6c:f9:d7:85:10:db:9f:e9:03:e9:7e:f1:81:
+ de:9d:f3:b3:a3:6f:19:31:c8:bb:31:c0:e7:7d:ea:
+ 6b:02:98:21:7c:c2:f5:9d:0d:7c:85:2b:5d:81:7c:
+ 71:74:42:89:ab:5c:31:ac:19:fd:c2:0b:fb:e5:c2:
+ b2:54:15:64:40:9c:bf:ed:d2:b1:bb:75:f9:e9:d8:
+ 67:b3:4e:63:c4:3e:f4:8a:2c:87:50:27:dd:22:97:
+ f1:f7:26:49:87:03:55:08:a4:d2:44:21:e1:9a:33:
+ 82:96:09:b3:08:65:bc:a8:3a:f4:64:f3:60:62:d0:
+ 98:d9:82:0c:1b:be:b6:9c:22:e8:7f:e6:eb:20:d9:
+ 71:67:2c:d5:14:83:aa:f1:37:75:98:4c:68:1d:95:
+ fe:1f:ec:cb:9b:17:9c:f4:92:22:da:bb:78:46:f3:
+ de:7d
+ Exponent: 65537 (0x10001)
+ Attributes:
+ a0:00
+ Signature Algorithm: sha256WithRSAEncryption
+ 7a:30:69:6c:aa:30:6f:f3:bc:dc:85:78:04:ef:f6:0c:b2:04:
+ e7:03:55:fd:4a:98:74:d6:fd:24:a1:e9:e8:3d:e3:a1:b0:dc:
+ 12:b9:1f:38:fe:9e:42:5a:0c:06:b8:0c:f6:65:0b:78:95:73:
+ 27:31:14:e5:4d:4f:e2:82:3f:52:24:45:ba:31:e7:87:b7:c8:
+ b9:8a:db:5f:5e:fd:1a:f2:6c:7d:d6:d1:1d:19:77:5e:10:51:
+ d3:24:7f:5a:7d:3f:eb:db:33:0b:27:97:72:b9:f0:ea:89:79:
+ ca:b7:23:7c:c0:8a:e9:11:30:45:99:09:58:da:08:86:28:32:
+ 21:c0:3f:2e:87:3e:a4:96:55:f1:65:72:4f:06:0b:b3:a1:97:
+ 7d:54:6c:0d:96:b4:41:11:6e:28:45:cb:16:d7:1e:70:1e:a8:
+ a2:4e:7f:65:8e:71:e9:05:e2:ad:cc:9a:79:1d:73:39:e8:f0:
+ e8:f3:75:ab:bf:9d:44:7b:b7:76:3f:0d:50:e0:9c:ef:2c:d5:
+ eb:c3:0d:4f:c1:77:af:56:7e:78:db:e8:a0:52:05:f6:49:89:
+ ab:c0:ff:d6:97:9d:9d:84:14:12:73:ee:31:1d:12:ad:e7:91:
+ 8d:ac:ff:ee:8d:18:07:be:c8:ec:57:9d:78:41:9c:1e:a1:75:
+ 2b:99:f7:70
+-----BEGIN CERTIFICATE REQUEST-----
+MIICijCCAXICAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
+ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAPTjMPAJ4kMOoWcuO++1iB5OqQb68pSL+k8Kn+BX
+RZUswRgdIW3IXCoFlAvGScWXiKyIunP7gSjr4c1/nfvgxQ3vNcwSuHQLoell1Bk4
+m6jhxe/V8ZzPit6/+tds+deFENuf6QPpfvGB3p3zs6NvGTHIuzHA533qawKYIXzC
+9Z0NfIUrXYF8cXRCiatcMawZ/cIL++XCslQVZECcv+3Ssbt1+enYZ7NOY8Q+9Ios
+h1An3SKX8fcmSYcDVQik0kQh4ZozgpYJswhlvKg69GTzYGLQmNmCDBu+tpwi6H/m
+6yDZcWcs1RSDqvE3dZhMaB2V/h/sy5sXnPSSItq7eEbz3n0CAwEAAaAAMA0GCSqG
+SIb3DQEBCwUAA4IBAQB6MGlsqjBv87zchXgE7/YMsgTnA1X9Sph01v0koenoPeOh
+sNwSuR84/p5CWgwGuAz2ZQt4lXMnMRTlTU/igj9SJEW6MeeHt8i5ittfXv0a8mx9
+1tEdGXdeEFHTJH9afT/r2zMLJ5dyufDqiXnKtyN8wIrpETBFmQlY2giGKDIhwD8u
+hz6kllXxZXJPBguzoZd9VGwNlrRBEW4oRcsW1x5wHqiiTn9ljnHpBeKtzJp5HXM5
+6PDo83Wrv51Ee7d2Pw1Q4JzvLNXrww1PwXevVn542+igUgX2SYmrwP/Wl52dhBQS
+c+4xHRKt55GNrP/ujRgHvsjsV514QZweoXUrmfdw
+-----END CERTIFICATE REQUEST-----
diff --git a/src/test/regression/tests/042.ssl_reload/test.sh b/src/test/regression/tests/042.ssl_reload/test.sh
new file mode 100755
index 000000000..302216878
--- /dev/null
+++ b/src/test/regression/tests/042.ssl_reload/test.sh
@@ -0,0 +1,257 @@
+#!/usr/bin/env bash
+#-------------------------------------------------------------------
+# test script for SSL connection upon reloading for: frontend <--> Pgpool-II and Pgpool-II and PostgreSQL.
+#
+source $TESTLIBS
+TESTDIR=testdir
+PSQL=$PGBIN/psql
+PG_CTL=$PGBIN/pg_ctl
+export PGDATABASE=test
+SSL_KEY=server.key
+SSL_CRT=server.crt
+
+#-------------------------------------------
+# Check psql output for \conninfo to see if SSL enabled
+#-------------------------------------------
+function check_ssl {
+ $PSQL -h localhost test <<EOF > result
+\conninfo
+\q
+EOF
+
+ # PostgreSQL 18 or later prints tablular output for \conninfo.
+ # For SSL, "SSL Connection | true (or false)"
+ if [ $PGVERSION -ge 18 ];then
+ grep "SSL Connection" result|grep true
+ else
+ grep SSL result
+ fi
+}
+
+# ---------------------------------------------------------------
+# Test ssl configuration param.
+# params:
+# $1: configuration name. e.g. ssl_cert
+# $2: good value for the config
+#
+# This performs following tests:
+# 1. Set bad value to the config and restart pgpool to make sure SSL connection does not establish.
+# 2. Set good value to the config and reload to make sure SSL connection establishes.
+# If test fails, exit with status 1
+function test_ssl {
+ # set bad value
+ echo "$1 = 'bad_value'" >> etc/pgpool.conf
+ # restart pgpool
+ ./startall
+ wait_for_pgpool_startup
+ check_ssl
+ if [ $? = 0 ];then
+ echo "Checking SSL connection between frontend and Pgpool-II succeeded despite bad config value for $1"
+ ./shutdownall
+ exit 1
+ fi
+ echo "Checking SSL connection between frontend and Pgpool-II failed due to bad config value for $1 as expected."
+
+ # Make sure that SSL connection succeeds with good config value
+ echo "$1 = '$2'" >> etc/pgpool.conf
+ ./pgpool_reload
+ sleep 1
+ check_ssl
+ if [ $? = 0 ];then
+ echo "Checking SSL connection between frontend and Pgpool-II succeeded with good $1"
+ else
+ echo "Checking SSL connection between frontend and Pgpool-II failed with good $1"
+ ./shutdownall
+ exit 1
+ fi
+ ./shutdownall
+}
+
+# main script starts here
+rm -fr $TESTDIR
+mkdir $TESTDIR
+cd $TESTDIR
+
+# create test environment. Number of backend node is 1 is enough.
+echo -n "creating test environment..."
+$PGPOOL_SETUP -m s -n 1 || exit 1
+echo "done."
+
+# setup SSL key and crt file
+cp -p ../$SSL_KEY etc/
+chmod og-rwx etc/$SSL_KEY
+cp -p ../$SSL_CRT etc/
+cp -p ../$SSL_KEY data0/
+chmod og-rwx data0/$SSL_KEY
+cp -p ../$SSL_CRT data0/
+
+# enable SSL support
+dir=`pwd`
+
+echo "ssl = on" >> etc/pgpool.conf
+echo "ssl_key = '$SSL_KEY'" >> etc/pgpool.conf
+echo "ssl_cert = '$SSL_CRT'" >> etc/pgpool.conf
+echo "ssl_prefer_server_ciphers = on" >> etc/pgpool.conf
+echo "ssl_ciphers = 'EECDH:HIGH:MEDIUM:+3DES:!aNULL'" >> etc/pgpool.conf
+
+echo "ssl = on" >> data0/postgresql.conf
+echo "ssl_cert_file = '$SSL_CRT'" >> data0/postgresql.conf
+echo "ssl_key_file = '$SSL_KEY'" >> data0/postgresql.conf
+
+# backend must be connected via TCP/IP
+echo "backend_hostname0 = 'localhost'" >> etc/pgpool.conf
+
+# produce debug message since the only way to confirm the SSL
+# connections is being established is, look into the debug log.
+echo "log_min_messages = debug5" >> etc/pgpool.conf
+
+# allow to access IPv6 localhost
+echo "host all all ::1/128 trust" >> data0/pg_hba.conf
+
+source ./bashrc.ports
+
+./startall
+
+export PGPORT=$PGPOOL_PORT
+
+wait_for_pgpool_startup
+
+# first, checking frontend<-->Pgpool-II...
+check_ssl
+if [ $? != 0 ];then
+ echo "Checking SSL connection between frontend and Pgpool-II failed."
+ ./shutdownall
+ exit 1
+fi
+echo "Checking SSL connection between frontend and Pgpool-II was ok."
+
+if [ $PGVERSION -ge 18 ];then
+ grep "SSL Protocol" result|grep TLSv1.2
+else
+ grep SSL result |grep TLSv1.2
+fi
+
+# if SSl protocol version TLSv1.2
+if [ $? = 0 ];then
+ grep SSL result |grep ECDH
+
+ if [ $? != 0 ];then
+ echo "Checking SSL connection with ECDH between frontend and Pgpool-II failed."
+ ./shutdownall
+ exit 1
+ fi
+ echo "Checking SSL connection with ECDH between frontend and Pgpool-II was ok."
+fi
+
+grep "client->server SSL response: S" log/pgpool.log >/dev/null
+if [ $? != 0 ];then
+ echo "Checking SSL connection between Pgpool-II and backend failed."
+ ./shutdownall
+ exit 1
+fi
+echo "Checking SSL connection between Pgpool-II and backend was ok."
+
+# So far SSL connection between clients and Pgpool-II, Pgpool-II and backend are ok.
+
+./shutdownall
+
+# ---------------------------------------------------------------
+# Test SSL params
+
+config_names[0]=ssl_cert
+config_names[1]=ssl_ciphers
+config_names[2]=ssl_crl_file
+config_names[3]=ssl_dh_params_file # ssl_dh_params_file can be a invalid file (fallback mechanism)
+config_names[4]=ssl_ecdh_curve
+config_names[5]=ssl_key
+config_names[6]=ssl_passphrase_command # cert does not require pass passphrase
+config_names[7]=ssl_prefer_server_ciphers # this affects server side ciphers
+
+good_values[0]=server.crt
+good_values[1]=HIGH:MEDIUM:+3DES:!aNULL
+good_values[2]=""
+good_values[3]=skip
+good_values[4]=prime256v1
+good_values[5]=server.key
+good_values[6]=skip
+good_values[7]=skip
+
+for i in {0..7}
+do
+ echo "===== ${config_names[$i]} ====="
+ if [ "${good_values[$i]}" = "skip" ];then
+ echo "skip this test"
+ else
+ test_ssl ${config_names[$i]} ${good_values[$i]}
+ fi
+done
+
+# ---------------------------------------------------------------
+# Test 4: ssl_ca_cert swap – client cert rejected after CA rotation
+#
+# 1. Two independent self-signed CAs are generated (CA #1 / CA #2).
+# 2. A client certificate is signed with CA #1.
+# 3. pgpool starts trusting CA #1 with pool_hba.conf set to require
+# client-certificate authentication (cert method).
+# 4. Verify the CA1-signed client cert is accepted.
+# 5. Reload pgpool with ssl_ca_cert pointing at CA #2.
+# 6. Verify the same client cert is now rejected because its issuer
+# (CA #1) is no longer trusted.
+# ---------------------------------------------------------------
+echo "===== ssl_ca_cert swap (client cert auth reload) ====="
+
+CADIR=`pwd`/catest
+mkdir -p "$CADIR"
+
+openssl req -new -x509 -days 3650 -nodes \
+ -subj "/CN=TestCA1" \
+ -keyout "$CADIR/ca1.key" -out "$CADIR/ca1.crt" 2>/dev/null
+
+openssl req -new -x509 -days 3650 -nodes \
+ -subj "/CN=TestCA2" \
+ -keyout "$CADIR/ca2.key" -out "$CADIR/ca2.crt" 2>/dev/null
+
+openssl req -new -nodes \
+ -subj "/CN=ssltest" \
+ -keyout "$CADIR/client.key" -out "$CADIR/client.csr" 2>/dev/null
+openssl x509 -req -days 3650 \
+ -CA "$CADIR/ca1.crt" -CAkey "$CADIR/ca1.key" -CAcreateserial \
+ -in "$CADIR/client.csr" -out "$CADIR/client.crt" 2>/dev/null
+chmod 600 "$CADIR/client.key"
+
+echo "ssl_ca_cert = '$CADIR/ca1.crt'" >> etc/pgpool.conf
+echo "enable_pool_hba = on" >> etc/pgpool.conf
+cat >> etc/pool_hba.conf <<'HBA'
+hostssl all ssltest 127.0.0.1/32 cert
+hostssl all ssltest ::1/128 cert
+HBA
+
+./startall
+wait_for_pgpool_startup
+
+$PSQL -h localhost -p $PGPOOL_PORT test -c "CREATE ROLE ssltest LOGIN" 2>/dev/null ||:
+
+PGSSLMODE=require PGSSLCERT="$CADIR/client.crt" PGSSLKEY="$CADIR/client.key" \
+ PGSSLROOTCERT="$CADIR/ca1.crt" $PSQL -h localhost -U ssltest test -c "SELECT 1" >/dev/null 2>&1
+if [ $? = 0 ]; then
+ echo "CA cert swap: CA1-signed client cert accepted before reload – ok."
+else
+ echo "CA cert swap: CA1-signed client cert rejected before reload – unexpected."
+ ./shutdownall
+ exit 1
+fi
+
+echo "ssl_ca_cert = '$CADIR/ca2.crt'" >> etc/pgpool.conf
+./pgpool_reload
+sleep 1
+
+PGSSLMODE=require PGSSLCERT="$CADIR/client.crt" PGSSLKEY="$CADIR/client.key" \
+ PGSSLROOTCERT="$CADIR/ca1.crt" $PSQL -h localhost -U ssltest test -c "SELECT 1" >/dev/null 2>&1
+if [ $? != 0 ]; then
+ echo "CA cert swap: CA1-signed client cert rejected after reload to CA2 – ok."
+else
+ echo "CA cert swap: CA1-signed client cert still accepted after CA2 reload – unexpected."
+ ./shutdownall
+ exit 1
+fi
+
+./shutdownall
+exit 0
--
2.43.0
^ permalink raw reply [nested|flat] 21+ messages in thread
* Re: Rotate SSL certificates on reload (SIGHUP) without restart
2025-10-23 05:02 Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2025-10-24 04:44 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-16 09:20 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-19 10:22 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-25 11:04 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-26 08:07 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-26 10:19 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-27 18:16 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-31 09:48 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-31 09:53 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-04-01 09:05 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-04-02 19:57 ` Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-04-13 07:28 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-04-14 08:01 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-04-15 06:36 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
@ 2026-04-16 10:31 ` Tatsuo Ishii <[email protected]>
2026-04-16 12:25 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
0 siblings, 1 reply; 21+ messages in thread
From: Tatsuo Ishii @ 2026-04-16 10:31 UTC (permalink / raw)
To: [email protected]; +Cc: [email protected]
Hi Bob,
Thank you for the patch!
Unfortunately after applying the patch, the test failed. From
src/test/regression/log/042.ssl_reload:
===== ssl_ca_cert swap (client cert auth reload) =====
waiting for server to start....1462289 2026-04-16 19:25:49.490 JST LOG: redirecting log output to logging collector process
1462289 2026-04-16 19:25:49.490 JST HINT: Future log output will appear in directory "log".
done
server started
CA cert swap: CA1-signed client cert rejected before reload – unexpected.
From pgpool.log:
2026-04-16 19:26:10.150: child pid 1462331: DETAIL: Protocol Major: 1234 Minor: 5679 database: user:
2026-04-16 19:26:10.150: child pid 1462331: DEBUG: selecting backend connection
2026-04-16 19:26:10.150: child pid 1462331: DETAIL: SSLRequest from client
2026-04-16 19:26:10.150: child pid 1462331: DEBUG: pool_write: to frontend: kind:S po:0
2026-04-16 19:26:10.150: child pid 1462331: DEBUG: pool_flush_it: flush size: 1
2026-04-16 19:26:10.167: child pid 1462331: LOG: pool_ssl: "SSL_accept": "tlsv1 alert unknown ca"
2026-04-16 19:26:10.167: child pid 1462331: DEBUG: unable to read data from frontend
2026-04-16 19:26:10.167: child pid 1462331: DETAIL: socket read failed with error "Connection reset by peer"
Please let me know if you need more info.
Regards,
--
Tatsuo Ishii
SRA OSS K.K.
English: http://www.sraoss.co.jp/index_en/
Japanese:http://www.sraoss.co.jp
> Hi Tatsuo,
>
> Please see attached v2. It adds regression coverage for SSL cert reload
> with client certificate authentication; there are no functional code
> changes.
>
> Best regards,
> Bob
>
>
> On Tue, Apr 14, 2026 at 10:02 AM Tatsuo Ishii <[email protected]> wrote:
>
>> Hi Bob,
>>
>> > Hi Tatsuo,
>> >
>> > Please let me know if you need any assistance with updating your test
>> > cases. I am be happy to help.
>> >
>> > Thanks,
>> > Bob
>>
>> Sorry for late. I was busy with personal affairs and some other
>> projects.
>>
>> > On Thu, Apr 2, 2026 at 9:57 PM Bob Ross <[email protected]>
>> wrote:
>> >
>> >> Hi Tatsuo,
>> >>
>> >> Thanks for putting together the regression tests.
>> >>
>> >> Thoughts on your questions:
>> >> - CA Certificates - Yes, adding a cert auth test is highly recommended.
>> We
>> >> could test this by generating two different dummy CA certificates. Start
>> >> pgpool trusting CA #1, swap the config to CA #2, reload and verify if
>> >> client connection correctly gets rejected.
>>
>> If you could extend the test file I posted so that it performs a cert
>> auth test, that would be helpful.
>>
>> >> - DH parameters - perhaps we can test this by providing a non-existent
>> >> file path and then use grep to check pgpool.log for specific warning
>> >> message (per pool_ssl.c it’s “DH: could not load DH parameters”) when
>> >> pgpool tries to load the file.
>>
>> I think it will not work.
>>
>> ===================================================================
>> static bool
>> initialize_dh(SSL_CTX *context)
>> {
>> DH *dh = NULL;
>>
>> SSL_CTX_set_options(context, SSL_OP_SINGLE_DH_USE);
>>
>> if (pool_config->ssl_dh_params_file[0])
>> dh = load_dh_file(pool_config->ssl_dh_params_file);
>> if (!dh)
>> dh = load_dh_buffer(FILE_DH2048, sizeof(FILE_DH2048));
>> if (!dh)
>> {
>> ereport(WARNING,
>> (errmsg("DH: could not load DH
>> parameters")));
>> return false;
>> }
>> :
>> :
>> ===================================================================
>>
>> The ereport message is printed when the built-in DH parameter file is
>> broken. But as long as the source file is fine, it would never happen.
>>
>> Maybe we should fix the code above so that it emits ereport when it
>> fails to load the DH parameter file specified by ssl_dh_params_file?
>>
>> Regards,
>> --
>> Tatsuo Ishii
>> SRA OSS K.K.
>> English: http://www.sraoss.co.jp/index_en/
>> Japanese:http://www.sraoss.co.jp
>>
^ permalink raw reply [nested|flat] 21+ messages in thread
* Re: Rotate SSL certificates on reload (SIGHUP) without restart
2025-10-23 05:02 Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2025-10-24 04:44 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-16 09:20 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-19 10:22 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-25 11:04 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-26 08:07 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-26 10:19 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-27 18:16 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-31 09:48 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-31 09:53 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-04-01 09:05 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-04-02 19:57 ` Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-04-13 07:28 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-04-14 08:01 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-04-15 06:36 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-04-16 10:31 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
@ 2026-04-16 12:25 ` Bob Ross <[email protected]>
2026-04-16 22:37 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
0 siblings, 1 reply; 21+ messages in thread
From: Bob Ross @ 2026-04-16 12:25 UTC (permalink / raw)
To: Tatsuo Ishii <[email protected]>; +Cc: [email protected]
--000000000000a0a5bc064f92ed67
Content-Type: multipart/alternative; boundary="000000000000a0a5ba064f92ed65"
--000000000000a0a5ba064f92ed65
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Hi Tatsuo,
Thank you for the report and the log, that was very helpful.
The bug was in the test, not in the core patch. Test 4 in 042.ssl_reload
set PGSSLROOTCERT=3D"$CADIR/ca1.crt" on both psql invocations. The intent w=
as
to use ca1.crt for server-side client-certificate verification, but
PGSSLROOTCERT actually controls client-side server certificate
verification, and ca1.crt is a freshly generated CA that never signed
pgpool's server.crt. Because libpq upgrades sslmode=3Drequire to verify-ca
behavior when a root CA file is provided, psql immediately sent unknown_ca
back to pgpool and aborted the handshake before server-side client-cert
verification ever ran.
Fix: both lines now use PGSSLROOTCERT=3D"etc/$SSL_CRT". Since server.crt is
self-signed it acts as its own root, so psql accepts pgpool's server cert,
the handshake completes, and the test exercises what it was always meant to
test: whether pgpool enforces the new ssl_ca_cert after reload.
No changes to the core patch.
Please find v3 attached. Please let me know if it fixes the test issue.
Best regards,
Bob
On Thu, Apr 16, 2026 at 12:31=E2=80=AFPM Tatsuo Ishii <[email protected]=
> wrote:
> Hi Bob,
>
> Thank you for the patch!
>
> Unfortunately after applying the patch, the test failed. From
> src/test/regression/log/042.ssl_reload:
>
> =3D=3D=3D=3D=3D ssl_ca_cert swap (client cert auth reload) =3D=3D=3D=3D=
=3D
> waiting for server to start....1462289 2026-04-16 19:25:49.490 JST LOG:
> redirecting log output to logging collector process
> 1462289 2026-04-16 19:25:49.490 JST HINT: Future log output will appear
> in directory "log".
> done
> server started
> CA cert swap: CA1-signed client cert rejected before reload =E2=80=93 une=
xpected.
>
> From pgpool.log:
>
> 2026-04-16 19:26:10.150: child pid 1462331: DETAIL: Protocol Major: 1234
> Minor: 5679 database: user:
> 2026-04-16 19:26:10.150: child pid 1462331: DEBUG: selecting backend
> connection
> 2026-04-16 19:26:10.150: child pid 1462331: DETAIL: SSLRequest from clie=
nt
> 2026-04-16 19:26:10.150: child pid 1462331: DEBUG: pool_write: to
> frontend: kind:S po:0
> 2026-04-16 19:26:10.150: child pid 1462331: DEBUG: pool_flush_it: flush
> size: 1
> 2026-04-16 19:26:10.167: child pid 1462331: LOG: pool_ssl: "SSL_accept":
> "tlsv1 alert unknown ca"
> 2026-04-16 19:26:10.167: child pid 1462331: DEBUG: unable to read data
> from frontend
> 2026-04-16 19:26:10.167: child pid 1462331: DETAIL: socket read failed
> with error "Connection reset by peer"
>
> Please let me know if you need more info.
>
> Regards,
> --
> Tatsuo Ishii
> SRA OSS K.K.
> English: http://www.sraoss.co.jp/index_en/
> Japanese:http://www.sraoss.co.jp
>
> > Hi Tatsuo,
> >
> > Please see attached v2. It adds regression coverage for SSL cert reload
> > with client certificate authentication; there are no functional code
> > changes.
> >
> > Best regards,
> > Bob
> >
> >
> > On Tue, Apr 14, 2026 at 10:02=E2=80=AFAM Tatsuo Ishii <ishii@postgresql=
.org>
> wrote:
> >
> >> Hi Bob,
> >>
> >> > Hi Tatsuo,
> >> >
> >> > Please let me know if you need any assistance with updating your tes=
t
> >> > cases. I am be happy to help.
> >> >
> >> > Thanks,
> >> > Bob
> >>
> >> Sorry for late. I was busy with personal affairs and some other
> >> projects.
> >>
> >> > On Thu, Apr 2, 2026 at 9:57=E2=80=AFPM Bob Ross <bob.ross.19821@gmai=
l.com>
> >> wrote:
> >> >
> >> >> Hi Tatsuo,
> >> >>
> >> >> Thanks for putting together the regression tests.
> >> >>
> >> >> Thoughts on your questions:
> >> >> - CA Certificates - Yes, adding a cert auth test is highly
> recommended.
> >> We
> >> >> could test this by generating two different dummy CA certificates.
> Start
> >> >> pgpool trusting CA #1, swap the config to CA #2, reload and verify =
if
> >> >> client connection correctly gets rejected.
> >>
> >> If you could extend the test file I posted so that it performs a cert
> >> auth test, that would be helpful.
> >>
> >> >> - DH parameters - perhaps we can test this by providing a
> non-existent
> >> >> file path and then use grep to check pgpool.log for specific warnin=
g
> >> >> message (per pool_ssl.c it=E2=80=99s =E2=80=9CDH: could not load DH=
parameters=E2=80=9D) when
> >> >> pgpool tries to load the file.
> >>
> >> I think it will not work.
> >>
> >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> >> static bool
> >> initialize_dh(SSL_CTX *context)
> >> {
> >> DH *dh =3D NULL;
> >>
> >> SSL_CTX_set_options(context, SSL_OP_SINGLE_DH_USE);
> >>
> >> if (pool_config->ssl_dh_params_file[0])
> >> dh =3D load_dh_file(pool_config->ssl_dh_params_file);
> >> if (!dh)
> >> dh =3D load_dh_buffer(FILE_DH2048, sizeof(FILE_DH2048)=
);
> >> if (!dh)
> >> {
> >> ereport(WARNING,
> >> (errmsg("DH: could not load DH
> >> parameters")));
> >> return false;
> >> }
> >> :
> >> :
> >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> >>
> >> The ereport message is printed when the built-in DH parameter file is
> >> broken. But as long as the source file is fine, it would never happen.
> >>
> >> Maybe we should fix the code above so that it emits ereport when it
> >> fails to load the DH parameter file specified by ssl_dh_params_file?
> >>
> >> Regards,
> >> --
> >> Tatsuo Ishii
> >> SRA OSS K.K.
> >> English: http://www.sraoss.co.jp/index_en/
> >> Japanese:http://www.sraoss.co.jp
> >>
>
--000000000000a0a5ba064f92ed65
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div dir=3D"ltr">Hi Tatsuo,<br><br>Thank you for the repor=
t and the log, that was very helpful.<br><br>The bug was in the test, not i=
n the core patch. Test 4 in 042.ssl_reload set PGSSLROOTCERT=3D"$CADIR=
/ca1.crt" on both psql invocations. The intent was to use ca1.crt for =
server-side client-certificate verification, but PGSSLROOTCERT actually con=
trols client-side server certificate verification, and ca1.crt is a freshly=
generated CA that never signed pgpool's server.crt. Because libpq upgr=
ades sslmode=3Drequire to verify-ca behavior when a root CA file is provide=
d, psql immediately sent unknown_ca back to pgpool and aborted the handshak=
e before server-side client-cert verification ever ran.<br><br>Fix: both li=
nes now use PGSSLROOTCERT=3D"etc/$SSL_CRT". Since server.crt is s=
elf-signed it acts as its own root, so psql accepts pgpool's server cer=
t, the handshake completes, and the test exercises what it was always meant=
to test: whether pgpool enforces the new ssl_ca_cert after reload.<br><br>=
<div>No changes to the core patch.<br><br>Please find v3 attached. Please l=
et me know if it fixes the test issue.<br><br>Best regards,</div><div>Bob</=
div></div><br><div class=3D"gmail_quote gmail_quote_container"><div dir=3D"=
ltr" class=3D"gmail_attr">On Thu, Apr 16, 2026 at 12:31=E2=80=AFPM Tatsuo I=
shii <<a href=3D"mailto:[email protected]">[email protected]</a>&g=
t; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0p=
x 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Bob=
,<br>
<br>
Thank you for the patch!<br>
<br>
Unfortunately after applying the patch, the test failed. From<br>
src/test/regression/log/042.ssl_reload:<br>
<br>
=3D=3D=3D=3D=3D ssl_ca_cert swap (client cert auth reload) =3D=3D=3D=3D=3D<=
br>
waiting for server to start....1462289 2026-04-16 19:25:49.490 JST LOG:=C2=
=A0 redirecting log output to logging collector process<br>
1462289 2026-04-16 19:25:49.490 JST HINT:=C2=A0 Future log output will appe=
ar in directory "log".<br>
=C2=A0done<br>
server started<br>
CA cert swap: CA1-signed client cert rejected before reload =E2=80=93 unexp=
ected.<br>
<br>
^ permalink raw reply [nested|flat] 21+ messages in thread
* Re: Rotate SSL certificates on reload (SIGHUP) without restart
2025-10-23 05:02 Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2025-10-24 04:44 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-16 09:20 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-19 10:22 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-25 11:04 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-26 08:07 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-26 10:19 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-27 18:16 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-31 09:48 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-31 09:53 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-04-01 09:05 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-04-02 19:57 ` Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-04-13 07:28 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-04-14 08:01 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-04-15 06:36 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-04-16 10:31 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-04-16 12:25 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
@ 2026-04-16 22:37 ` Tatsuo Ishii <[email protected]>
2026-04-17 09:50 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
0 siblings, 1 reply; 21+ messages in thread
From: Tatsuo Ishii @ 2026-04-16 22:37 UTC (permalink / raw)
To: [email protected]; +Cc: [email protected]
Hi Bob,
Thank you for the new patch. This time it failed with different pgpool.log.
src/test/regression/log/042.ssl_reload was same.
2026-04-17 07:30:46.893: child pid 1475041: DEBUG: attempting to negotiate a secure connection
2026-04-17 07:30:46.893: child pid 1475041: DETAIL: sending client->server SSL request
2026-04-17 07:30:46.893: child pid 1475041: DEBUG: pool_flush_it: flush size: 8
2026-04-17 07:30:46.894: child pid 1475041: DEBUG: pool_read: read 1 bytes from backend 0
2026-04-17 07:30:46.894: child pid 1475041: DEBUG: attempting to negotiate a secure connection
2026-04-17 07:30:46.894: child pid 1475041: DETAIL: client->server SSL response: S
2026-04-17 07:30:46.899: child pid 1475041: LOG: pool_ssl: "SSL_connect": "certificate verify failed"
2026-04-17 07:30:46.899: child pid 1475041: DEBUG: pool_flush_it: flush size: 58
2026-04-17 07:30:46.899: child pid 1475041: DEBUG: pool_read: read 360 bytes from backend 0
2026-04-17 07:30:46.900: child pid 1475041: ERROR: backend authentication failed
2026-04-17 07:30:46.900: child pid 1475041: DETAIL: backend response with kind '�' when expecting 'R'
2026-04-17 07:30:46.900: child pid 1475041: DEBUG: pool_write: to frontend: kind:E po:0
2026-04-17 07:30:46.900: child pid 1475041: DEBUG: pool_write: to frontend: length:4 po:1
2026-04-17 07:30:46.900: child pid 1475041: DEBUG: pool_write: to frontend: length:115 po:5
2026-04-17 07:30:46.900: child pid 1475041: DEBUG: pool_flush_it: flush size: 120
> Hi Tatsuo,
>
> Thank you for the report and the log, that was very helpful.
>
> The bug was in the test, not in the core patch. Test 4 in 042.ssl_reload
> set PGSSLROOTCERT="$CADIR/ca1.crt" on both psql invocations. The intent was
> to use ca1.crt for server-side client-certificate verification, but
> PGSSLROOTCERT actually controls client-side server certificate
> verification, and ca1.crt is a freshly generated CA that never signed
> pgpool's server.crt. Because libpq upgrades sslmode=require to verify-ca
> behavior when a root CA file is provided, psql immediately sent unknown_ca
> back to pgpool and aborted the handshake before server-side client-cert
> verification ever ran.
>
> Fix: both lines now use PGSSLROOTCERT="etc/$SSL_CRT". Since server.crt is
> self-signed it acts as its own root, so psql accepts pgpool's server cert,
> the handshake completes, and the test exercises what it was always meant to
> test: whether pgpool enforces the new ssl_ca_cert after reload.
>
> No changes to the core patch.
>
> Please find v3 attached. Please let me know if it fixes the test issue.
>
> Best regards,
> Bob
>
> On Thu, Apr 16, 2026 at 12:31 PM Tatsuo Ishii <[email protected]> wrote:
>
>> Hi Bob,
>>
>> Thank you for the patch!
>>
>> Unfortunately after applying the patch, the test failed. From
>> src/test/regression/log/042.ssl_reload:
>>
>> ===== ssl_ca_cert swap (client cert auth reload) =====
>> waiting for server to start....1462289 2026-04-16 19:25:49.490 JST LOG:
>> redirecting log output to logging collector process
>> 1462289 2026-04-16 19:25:49.490 JST HINT: Future log output will appear
>> in directory "log".
>> done
>> server started
>> CA cert swap: CA1-signed client cert rejected before reload – unexpected.
>>
>> From pgpool.log:
>>
>> 2026-04-16 19:26:10.150: child pid 1462331: DETAIL: Protocol Major: 1234
>> Minor: 5679 database: user:
>> 2026-04-16 19:26:10.150: child pid 1462331: DEBUG: selecting backend
>> connection
>> 2026-04-16 19:26:10.150: child pid 1462331: DETAIL: SSLRequest from client
>> 2026-04-16 19:26:10.150: child pid 1462331: DEBUG: pool_write: to
>> frontend: kind:S po:0
>> 2026-04-16 19:26:10.150: child pid 1462331: DEBUG: pool_flush_it: flush
>> size: 1
>> 2026-04-16 19:26:10.167: child pid 1462331: LOG: pool_ssl: "SSL_accept":
>> "tlsv1 alert unknown ca"
>> 2026-04-16 19:26:10.167: child pid 1462331: DEBUG: unable to read data
>> from frontend
>> 2026-04-16 19:26:10.167: child pid 1462331: DETAIL: socket read failed
>> with error "Connection reset by peer"
>>
>> Please let me know if you need more info.
>>
>> Regards,
>> --
>> Tatsuo Ishii
>> SRA OSS K.K.
>> English: http://www.sraoss.co.jp/index_en/
>> Japanese:http://www.sraoss.co.jp
>>
>> > Hi Tatsuo,
>> >
>> > Please see attached v2. It adds regression coverage for SSL cert reload
>> > with client certificate authentication; there are no functional code
>> > changes.
>> >
>> > Best regards,
>> > Bob
>> >
>> >
>> > On Tue, Apr 14, 2026 at 10:02 AM Tatsuo Ishii <[email protected]>
>> wrote:
>> >
>> >> Hi Bob,
>> >>
>> >> > Hi Tatsuo,
>> >> >
>> >> > Please let me know if you need any assistance with updating your test
>> >> > cases. I am be happy to help.
>> >> >
>> >> > Thanks,
>> >> > Bob
>> >>
>> >> Sorry for late. I was busy with personal affairs and some other
>> >> projects.
>> >>
>> >> > On Thu, Apr 2, 2026 at 9:57 PM Bob Ross <[email protected]>
>> >> wrote:
>> >> >
>> >> >> Hi Tatsuo,
>> >> >>
>> >> >> Thanks for putting together the regression tests.
>> >> >>
>> >> >> Thoughts on your questions:
>> >> >> - CA Certificates - Yes, adding a cert auth test is highly
>> recommended.
>> >> We
>> >> >> could test this by generating two different dummy CA certificates.
>> Start
>> >> >> pgpool trusting CA #1, swap the config to CA #2, reload and verify if
>> >> >> client connection correctly gets rejected.
>> >>
>> >> If you could extend the test file I posted so that it performs a cert
>> >> auth test, that would be helpful.
>> >>
>> >> >> - DH parameters - perhaps we can test this by providing a
>> non-existent
>> >> >> file path and then use grep to check pgpool.log for specific warning
>> >> >> message (per pool_ssl.c it’s “DH: could not load DH parameters”) when
>> >> >> pgpool tries to load the file.
>> >>
>> >> I think it will not work.
>> >>
>> >> ===================================================================
>> >> static bool
>> >> initialize_dh(SSL_CTX *context)
>> >> {
>> >> DH *dh = NULL;
>> >>
>> >> SSL_CTX_set_options(context, SSL_OP_SINGLE_DH_USE);
>> >>
>> >> if (pool_config->ssl_dh_params_file[0])
>> >> dh = load_dh_file(pool_config->ssl_dh_params_file);
>> >> if (!dh)
>> >> dh = load_dh_buffer(FILE_DH2048, sizeof(FILE_DH2048));
>> >> if (!dh)
>> >> {
>> >> ereport(WARNING,
>> >> (errmsg("DH: could not load DH
>> >> parameters")));
>> >> return false;
>> >> }
>> >> :
>> >> :
>> >> ===================================================================
>> >>
>> >> The ereport message is printed when the built-in DH parameter file is
>> >> broken. But as long as the source file is fine, it would never happen.
>> >>
>> >> Maybe we should fix the code above so that it emits ereport when it
>> >> fails to load the DH parameter file specified by ssl_dh_params_file?
>> >>
>> >> Regards,
>> >> --
>> >> Tatsuo Ishii
>> >> SRA OSS K.K.
>> >> English: http://www.sraoss.co.jp/index_en/
>> >> Japanese:http://www.sraoss.co.jp
>> >>
>>
^ permalink raw reply [nested|flat] 21+ messages in thread
* Re: Rotate SSL certificates on reload (SIGHUP) without restart
2025-10-23 05:02 Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2025-10-24 04:44 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-16 09:20 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-19 10:22 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-25 11:04 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-26 08:07 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-26 10:19 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-27 18:16 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-31 09:48 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-31 09:53 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-04-01 09:05 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-04-02 19:57 ` Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-04-13 07:28 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-04-14 08:01 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-04-15 06:36 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-04-16 10:31 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-04-16 12:25 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-04-16 22:37 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
@ 2026-04-17 09:50 ` Bob Ross <[email protected]>
2026-04-17 11:06 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
0 siblings, 1 reply; 21+ messages in thread
From: Bob Ross @ 2026-04-17 09:50 UTC (permalink / raw)
To: Tatsuo Ishii <[email protected]>; +Cc: [email protected]
Hi Tatsuo,
I've fixed the test failure. The issue was that the original test used the
static self-signed server.crt as the CA bundle. When ssl_ca_cert is set,
pgpool verifies the backend certificate against it, and the self-signed
cert failed that check. The fix generates a dedicated server CA in the test
and issues a backend cert signed by it, so pgpool can always verify the
backend while ca1/ca2 are independently swapped to test client-cert trust
rotation.
The test now passes:
*CA cert swap: CA1-signed client cert accepted before reload – ok.CA cert
swap: CA1-signed client cert rejected after reload to CA2 – ok.testing
042.ssl_reload...ok.out of 1 ok:1 failed:0 timeout:0*
pgpool.log showing client cert accepted before reload:
*2026-04-17 09:23:31.449: child pid 81378: DEBUG: got the SSL
certificate2026-04-17 09:23:31.449: child pid 81378: DETAIL: Protocol
Major: 3 Minor: 0 database: test user: ssltest2026-04-17 09:23:31.450:
child pid 81378: DETAIL: client->server SSL response: S2026-04-17
09:23:31.455: child pid 81378: DETAIL: auth kind:0*
SSL certificate reload completed:
*2026-04-17 09:23:31.471: main pid 81347: LOG: reload SSL certificates.*
pgpool.log showing client cert rejected after reload:
*2026-04-17 09:23:32.485: psql pid 81385: DETAIL: SSLRequest from
client2026-04-17 09:23:32.493: psql pid 81385: LOG: pool_ssl:
"SSL_accept": "certificate verify failed"2026-04-17 09:23:32.493: psql pid
81385: ERROR: failed while reading startup packet*
No changes to the core patch.
The updated v4 is attached.
Regards,
Bob
On Fri, Apr 17, 2026 at 12:37 AM Tatsuo Ishii <[email protected]> wrote:
> Hi Bob,
>
> Thank you for the new patch. This time it failed with different
> pgpool.log.
> src/test/regression/log/042.ssl_reload was same.
>
> 2026-04-17 07:30:46.893: child pid 1475041: DEBUG: attempting to
> negotiate a secure connection
> 2026-04-17 07:30:46.893: child pid 1475041: DETAIL: sending
> client->server SSL request
> 2026-04-17 07:30:46.893: child pid 1475041: DEBUG: pool_flush_it: flush
> size: 8
> 2026-04-17 07:30:46.894: child pid 1475041: DEBUG: pool_read: read 1
> bytes from backend 0
> 2026-04-17 07:30:46.894: child pid 1475041: DEBUG: attempting to
> negotiate a secure connection
> 2026-04-17 07:30:46.894: child pid 1475041: DETAIL: client->server SSL
> response: S
> 2026-04-17 07:30:46.899: child pid 1475041: LOG: pool_ssl: "SSL_connect":
> "certificate verify failed"
> 2026-04-17 07:30:46.899: child pid 1475041: DEBUG: pool_flush_it: flush
> size: 58
> 2026-04-17 07:30:46.899: child pid 1475041: DEBUG: pool_read: read 360
> bytes from backend 0
> 2026-04-17 07:30:46.900: child pid 1475041: ERROR: backend authentication
> failed
> 2026-04-17 07:30:46.900: child pid 1475041: DETAIL: backend response with
> kind ' ' when expecting 'R'
> 2026-04-17 07:30:46.900: child pid 1475041: DEBUG: pool_write: to
> frontend: kind:E po:0
> 2026-04-17 07:30:46.900: child pid 1475041: DEBUG: pool_write: to
> frontend: length:4 po:1
> 2026-04-17 07:30:46.900: child pid 1475041: DEBUG: pool_write: to
> frontend: length:115 po:5
> 2026-04-17 07:30:46.900: child pid 1475041: DEBUG: pool_flush_it: flush
> size: 120
>
> > Hi Tatsuo,
> >
> > Thank you for the report and the log, that was very helpful.
> >
> > The bug was in the test, not in the core patch. Test 4 in 042.ssl_reload
> > set PGSSLROOTCERT="$CADIR/ca1.crt" on both psql invocations. The intent
> was
> > to use ca1.crt for server-side client-certificate verification, but
> > PGSSLROOTCERT actually controls client-side server certificate
> > verification, and ca1.crt is a freshly generated CA that never signed
> > pgpool's server.crt. Because libpq upgrades sslmode=require to verify-ca
> > behavior when a root CA file is provided, psql immediately sent
> unknown_ca
> > back to pgpool and aborted the handshake before server-side client-cert
> > verification ever ran.
> >
> > Fix: both lines now use PGSSLROOTCERT="etc/$SSL_CRT". Since server.crt is
> > self-signed it acts as its own root, so psql accepts pgpool's server
> cert,
> > the handshake completes, and the test exercises what it was always meant
> to
> > test: whether pgpool enforces the new ssl_ca_cert after reload.
> >
> > No changes to the core patch.
> >
> > Please find v3 attached. Please let me know if it fixes the test issue.
> >
> > Best regards,
> > Bob
> >
> > On Thu, Apr 16, 2026 at 12:31 PM Tatsuo Ishii <[email protected]>
> wrote:
> >
> >> Hi Bob,
> >>
> >> Thank you for the patch!
> >>
> >> Unfortunately after applying the patch, the test failed. From
> >> src/test/regression/log/042.ssl_reload:
> >>
> >> ===== ssl_ca_cert swap (client cert auth reload) =====
> >> waiting for server to start....1462289 2026-04-16 19:25:49.490 JST LOG:
> >> redirecting log output to logging collector process
> >> 1462289 2026-04-16 19:25:49.490 JST HINT: Future log output will appear
> >> in directory "log".
> >> done
> >> server started
> >> CA cert swap: CA1-signed client cert rejected before reload –
> unexpected.
> >>
> >> From pgpool.log:
> >>
> >> 2026-04-16 19:26:10.150: child pid 1462331: DETAIL: Protocol Major:
> 1234
> >> Minor: 5679 database: user:
> >> 2026-04-16 19:26:10.150: child pid 1462331: DEBUG: selecting backend
> >> connection
> >> 2026-04-16 19:26:10.150: child pid 1462331: DETAIL: SSLRequest from
> client
> >> 2026-04-16 19:26:10.150: child pid 1462331: DEBUG: pool_write: to
> >> frontend: kind:S po:0
> >> 2026-04-16 19:26:10.150: child pid 1462331: DEBUG: pool_flush_it: flush
> >> size: 1
> >> 2026-04-16 19:26:10.167: child pid 1462331: LOG: pool_ssl:
> "SSL_accept":
> >> "tlsv1 alert unknown ca"
> >> 2026-04-16 19:26:10.167: child pid 1462331: DEBUG: unable to read data
> >> from frontend
> >> 2026-04-16 19:26:10.167: child pid 1462331: DETAIL: socket read failed
> >> with error "Connection reset by peer"
> >>
> >> Please let me know if you need more info.
> >>
> >> Regards,
> >> --
> >> Tatsuo Ishii
> >> SRA OSS K.K.
> >> English: http://www.sraoss.co.jp/index_en/
> >> Japanese:http://www.sraoss.co.jp
> >>
> >> > Hi Tatsuo,
> >> >
> >> > Please see attached v2. It adds regression coverage for SSL cert
> reload
> >> > with client certificate authentication; there are no functional code
> >> > changes.
> >> >
> >> > Best regards,
> >> > Bob
> >> >
> >> >
> >> > On Tue, Apr 14, 2026 at 10:02 AM Tatsuo Ishii <[email protected]>
> >> wrote:
> >> >
> >> >> Hi Bob,
> >> >>
> >> >> > Hi Tatsuo,
> >> >> >
> >> >> > Please let me know if you need any assistance with updating your
> test
> >> >> > cases. I am be happy to help.
> >> >> >
> >> >> > Thanks,
> >> >> > Bob
> >> >>
> >> >> Sorry for late. I was busy with personal affairs and some other
> >> >> projects.
> >> >>
> >> >> > On Thu, Apr 2, 2026 at 9:57 PM Bob Ross <[email protected]>
> >> >> wrote:
> >> >> >
> >> >> >> Hi Tatsuo,
> >> >> >>
> >> >> >> Thanks for putting together the regression tests.
> >> >> >>
> >> >> >> Thoughts on your questions:
> >> >> >> - CA Certificates - Yes, adding a cert auth test is highly
> >> recommended.
> >> >> We
> >> >> >> could test this by generating two different dummy CA certificates.
> >> Start
> >> >> >> pgpool trusting CA #1, swap the config to CA #2, reload and
> verify if
> >> >> >> client connection correctly gets rejected.
> >> >>
> >> >> If you could extend the test file I posted so that it performs a cert
> >> >> auth test, that would be helpful.
> >> >>
> >> >> >> - DH parameters - perhaps we can test this by providing a
> >> non-existent
> >> >> >> file path and then use grep to check pgpool.log for specific
> warning
> >> >> >> message (per pool_ssl.c it’s “DH: could not load DH parameters”)
> when
> >> >> >> pgpool tries to load the file.
> >> >>
> >> >> I think it will not work.
> >> >>
> >> >> ===================================================================
> >> >> static bool
> >> >> initialize_dh(SSL_CTX *context)
> >> >> {
> >> >> DH *dh = NULL;
> >> >>
> >> >> SSL_CTX_set_options(context, SSL_OP_SINGLE_DH_USE);
> >> >>
> >> >> if (pool_config->ssl_dh_params_file[0])
> >> >> dh = load_dh_file(pool_config->ssl_dh_params_file);
> >> >> if (!dh)
> >> >> dh = load_dh_buffer(FILE_DH2048,
> sizeof(FILE_DH2048));
> >> >> if (!dh)
> >> >> {
> >> >> ereport(WARNING,
> >> >> (errmsg("DH: could not load DH
> >> >> parameters")));
> >> >> return false;
> >> >> }
> >> >> :
> >> >> :
> >> >> ===================================================================
> >> >>
> >> >> The ereport message is printed when the built-in DH parameter file is
> >> >> broken. But as long as the source file is fine, it would never
> happen.
> >> >>
> >> >> Maybe we should fix the code above so that it emits ereport when it
> >> >> fails to load the DH parameter file specified by ssl_dh_params_file?
> >> >>
> >> >> Regards,
> >> >> --
> >> >> Tatsuo Ishii
> >> >> SRA OSS K.K.
> >> >> English: http://www.sraoss.co.jp/index_en/
> >> >> Japanese:http://www.sraoss.co.jp
> >> >>
> >>
>
Attachments:
[application/octet-stream] v4-0001-Feature-reload-SSL-certificates-on-SIGHUP-without.patch (28.4K, 3-v4-0001-Feature-reload-SSL-certificates-on-SIGHUP-without.patch)
download | inline diff:
From c97fc6e9d4acb3f5071e473db3b34577f2498d59 Mon Sep 17 00:00:00 2001
From: Bob Ross <[email protected]>
Date: Thu, 17 Apr 2026 00:00:00 +0000
Subject: [PATCH v4] Feature: reload SSL certificates on SIGHUP without restart
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Allow Pgpool-II to pick up rotated TLS certificates (and any change to
SSL-related configuration) when receiving SIGHUP (i.e. systemctl reload
pgpool2), matching the behavior PostgreSQL has had since PostgreSQL 12.
Problem:
All SSL configuration parameters (ssl_cert, ssl_key, ssl_ca_cert,
ssl_ciphers, etc.) were declared CFGCXT_INIT, meaning they were silently
ignored when pool_get_config() was called under CFGCXT_RELOAD.
Furthermore, SSL_ServerSide_init() was only called once at startup in
main.c and never again, so the in-memory SSL_CTX was never refreshed.
Fix:
1. src/main/pgpool_main.c
- Include utils/pool_ssl.h.
- In reload_config(), call SSL_ServerSide_init() (guarded by
#ifdef USE_SSL) *before* kill_all_children(SIGHUP). The function
already replaces SSL_frontend_context atomically: it frees the old
SSL_CTX only after a new one has been created successfully, so a
failed reload leaves the existing context intact.
2. src/protocol/child.c
- In check_config_reload(), call SSL_ServerSide_init() (guarded by
#ifdef USE_SSL) so each worker child also refreshes its own copy of
the SSL context for subsequent new connections. In-flight TLS
sessions are unaffected because they hold a direct reference to the
SSL object, not to SSL_frontend_context.
3. src/config/pool_config_variables.c
- Change CFGCXT_INIT -> CFGCXT_RELOAD for:
ssl_prefer_server_ciphers, ssl_cert, ssl_key, ssl_ca_cert,
ssl_ca_cert_dir, ssl_crl_file, ssl_ciphers, ssl_ecdh_curve,
ssl_dh_params_file, ssl_passphrase_command.
- The 'ssl' boolean (master enable flag) is intentionally left as
CFGCXT_INIT because dynamically enabling SSL at runtime is a
larger, separate concern.
Usage after this change:
Standard in-place certificate rotation (cert-manager, ACME, manual
openssl refresh at the same path):
# replace /etc/pgpool/server.{crt,key} with new files
systemctl reload pgpool2
# or: pgpool -f /etc/pgpool/pgpool.conf reload
New connections will use the new certificates after workers process
the reload signal. Existing connections are not interrupted.
Switching to a different certificate path also works: update
pgpool.conf then reload — the new paths are now accepted in
CFGCXT_RELOAD context.
Author: Bob Ross <[email protected]>
Reviewed-by: Tatsuo Ishii <[email protected]>
Discussion: https://www.postgresql.org/message-id/flat/CAHtZvrddqfbnERYY_DqgURWCjuXeTjM0y08k-ZP_B0bAHYx2ag%40mail.gmail.com
---
src/config/pool_config_variables.c | 20 +-
src/main/pgpool_main.c | 17 ++
src/protocol/child.c | 11 +
.../regression/tests/042.ssl_reload/README | 6 +
.../tests/042.ssl_reload/server.crt | 79 ++++++++
.../tests/042.ssl_reload/server.key | 27 +++
.../tests/042.ssl_reload/server.req | 61 ++++++
.../regression/tests/042.ssl_reload/test.sh | 290 ++++++++++++++++++++++++
8 files changed, 433 insertions(+), 10 deletions(-)
create mode 100644 src/test/regression/tests/042.ssl_reload/README
create mode 100644 src/test/regression/tests/042.ssl_reload/server.crt
create mode 100644 src/test/regression/tests/042.ssl_reload/server.key
create mode 100644 src/test/regression/tests/042.ssl_reload/server.req
create mode 100755 src/test/regression/tests/042.ssl_reload/test.sh
diff --git a/src/config/pool_config_variables.c b/src/config/pool_config_variables.c
index ce13c42f6..ca40c341a 100644
--- a/src/config/pool_config_variables.c
+++ b/src/config/pool_config_variables.c
@@ -705,7 +705,7 @@ static struct config_bool ConfigureNamesBool[] =
},
{
- {"ssl_prefer_server_ciphers", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_prefer_server_ciphers", CFGCXT_RELOAD, SSL_CONFIG,
"Use server's SSL cipher preferences, rather than the client's",
CONFIG_VAR_TYPE_BOOL, false, 0
},
@@ -1271,7 +1271,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_cert", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_cert", CFGCXT_RELOAD, SSL_CONFIG,
"SSL public certificate file.",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1281,7 +1281,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_key", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_key", CFGCXT_RELOAD, SSL_CONFIG,
"SSL private key file.",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1291,7 +1291,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_ca_cert", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_ca_cert", CFGCXT_RELOAD, SSL_CONFIG,
"Single PEM format file containing CA root certificate(s).",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1301,7 +1301,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_ca_cert_dir", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_ca_cert_dir", CFGCXT_RELOAD, SSL_CONFIG,
"Directory containing CA root certificate(s).",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1311,7 +1311,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_crl_file", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_crl_file", CFGCXT_RELOAD, SSL_CONFIG,
"SSL certificate revocation list file",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1321,7 +1321,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_ciphers", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_ciphers", CFGCXT_RELOAD, SSL_CONFIG,
"Allowed SSL ciphers.",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1331,7 +1331,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_ecdh_curve", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_ecdh_curve", CFGCXT_RELOAD, SSL_CONFIG,
"The curve to use in ECDH key exchange.",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1341,7 +1341,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_dh_params_file", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_dh_params_file", CFGCXT_RELOAD, SSL_CONFIG,
"Path to the Diffie-Hellman parameters contained file",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1351,7 +1351,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_passphrase_command", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_passphrase_command", CFGCXT_RELOAD, SSL_CONFIG,
"Path to the Diffie-Hellman parameters contained file",
CONFIG_VAR_TYPE_STRING, false, 0
},
diff --git a/src/main/pgpool_main.c b/src/main/pgpool_main.c
index bf7c452e2..0a9c92826 100644
--- a/src/main/pgpool_main.c
+++ b/src/main/pgpool_main.c
@@ -61,6 +61,7 @@
#include "watchdog/wd_lifecheck.h"
#include "watchdog/watchdog.h"
#include "pcp/pcp_worker.h"
+#include "utils/pool_ssl.h"
#include <grp.h>
/*
@@ -3489,6 +3490,22 @@ reload_config(void)
if (pool_config->enable_pool_hba)
load_hba(hba_file);
+#ifdef USE_SSL
+ /*
+ * If SSL is enabled, re-initialize the SSL context so that new
+ * connections pick up rotated certificates without requiring a restart.
+ * SSL_ServerSide_init() is safe to call repeatedly: it frees and replaces
+ * the existing SSL_CTX only on success, leaving the old context intact on
+ * failure.
+ */
+ if (pool_config->ssl)
+ {
+ ereport(LOG,
+ (errmsg("reload SSL certificates.")));
+ SSL_ServerSide_init();
+ }
+#endif /* USE_SSL */
+
kill_all_children(SIGHUP);
}
diff --git a/src/protocol/child.c b/src/protocol/child.c
index c34f05728..713bfe28f 100644
--- a/src/protocol/child.c
+++ b/src/protocol/child.c
@@ -1796,6 +1796,17 @@ check_config_reload(void)
if (strcmp("", pool_config->pool_passwd))
pool_reopen_passwd_file();
+#ifdef USE_SSL
+ /*
+ * Re-initialize the frontend SSL context so this child process
+ * serves new connections with any rotated certificates without a
+ * restart. In-flight TLS sessions are unaffected; they hold a
+ * direct reference to the old SSL object.
+ */
+ if (pool_config->ssl)
+ SSL_ServerSide_init();
+#endif /* USE_SSL */
+
got_sighup = 0;
}
}
diff --git a/src/test/regression/tests/042.ssl_reload/README b/src/test/regression/tests/042.ssl_reload/README
new file mode 100644
index 000000000..c73cf0bd3
--- /dev/null
+++ b/src/test/regression/tests/042.ssl_reload/README
@@ -0,0 +1,6 @@
+The sample server.key and server.crt was created by using following commands:
+
+openssl req -new -text -out server.req
+openssl rsa -in privkey.pem -out server.key
+rm privkey.pem
+openssl req -x509 -days 3650 -in server.req -text -key server.key -out server.crt
diff --git a/src/test/regression/tests/042.ssl_reload/server.crt b/src/test/regression/tests/042.ssl_reload/server.crt
new file mode 100644
index 000000000..90d5e08e7
--- /dev/null
+++ b/src/test/regression/tests/042.ssl_reload/server.crt
@@ -0,0 +1,79 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ f4:86:4a:aa:50:42:63:dc
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
+ Validity
+ Not Before: Aug 29 02:52:36 2018 GMT
+ Not After : Aug 26 02:52:36 2028 GMT
+ Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:f4:e3:30:f0:09:e2:43:0e:a1:67:2e:3b:ef:b5:
+ 88:1e:4e:a9:06:fa:f2:94:8b:fa:4f:0a:9f:e0:57:
+ 45:95:2c:c1:18:1d:21:6d:c8:5c:2a:05:94:0b:c6:
+ 49:c5:97:88:ac:88:ba:73:fb:81:28:eb:e1:cd:7f:
+ 9d:fb:e0:c5:0d:ef:35:cc:12:b8:74:0b:a1:e9:65:
+ d4:19:38:9b:a8:e1:c5:ef:d5:f1:9c:cf:8a:de:bf:
+ fa:d7:6c:f9:d7:85:10:db:9f:e9:03:e9:7e:f1:81:
+ de:9d:f3:b3:a3:6f:19:31:c8:bb:31:c0:e7:7d:ea:
+ 6b:02:98:21:7c:c2:f5:9d:0d:7c:85:2b:5d:81:7c:
+ 71:74:42:89:ab:5c:31:ac:19:fd:c2:0b:fb:e5:c2:
+ b2:54:15:64:40:9c:bf:ed:d2:b1:bb:75:f9:e9:d8:
+ 67:b3:4e:63:c4:3e:f4:8a:2c:87:50:27:dd:22:97:
+ f1:f7:26:49:87:03:55:08:a4:d2:44:21:e1:9a:33:
+ 82:96:09:b3:08:65:bc:a8:3a:f4:64:f3:60:62:d0:
+ 98:d9:82:0c:1b:be:b6:9c:22:e8:7f:e6:eb:20:d9:
+ 71:67:2c:d5:14:83:aa:f1:37:75:98:4c:68:1d:95:
+ fe:1f:ec:cb:9b:17:9c:f4:92:22:da:bb:78:46:f3:
+ de:7d
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Key Identifier:
+ 68:ED:A7:FE:1E:36:26:18:80:2B:C6:A2:07:23:1C:A4:00:57:16:68
+ X509v3 Authority Key Identifier:
+ keyid:68:ED:A7:FE:1E:36:26:18:80:2B:C6:A2:07:23:1C:A4:00:57:16:68
+
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ Signature Algorithm: sha256WithRSAEncryption
+ dd:61:62:83:6e:fa:e8:8a:1b:02:c6:9f:7f:f3:52:f8:04:5c:
+ c9:35:f9:4c:1d:4f:0f:9f:6c:a2:18:95:f0:76:93:e5:99:58:
+ 4a:88:7a:54:68:cf:28:64:8e:01:3f:fb:7e:28:6f:ad:c6:08:
+ a2:09:77:4c:13:4b:1d:68:70:38:91:d4:dc:f7:c3:c8:81:36:
+ 48:b9:01:46:f9:fa:e8:f7:ba:fe:23:4c:e3:27:a9:58:2d:a6:
+ 3d:88:ac:b8:71:9b:84:ec:bd:82:c4:45:1d:ba:77:ed:73:54:
+ a9:16:76:80:40:0b:80:42:47:60:84:cf:41:e0:0f:8e:85:d3:
+ 28:36:fb:f6:8c:f8:c6:20:b3:c4:06:cc:2d:6d:37:78:b4:d5:
+ 4d:14:db:f0:04:56:66:d8:5a:cc:ff:bd:0c:19:6d:39:bf:26:
+ ac:17:0c:91:a4:68:4b:bc:86:4f:0a:10:81:b5:ac:1e:a6:78:
+ b1:7f:e9:f3:9e:1b:32:92:b2:8f:f7:e2:a3:ae:44:e2:99:b0:
+ 04:0a:15:eb:7a:37:10:b2:7b:ef:35:6c:a5:db:13:96:42:e9:
+ 22:3c:72:6a:34:16:0d:b5:2c:49:f3:83:c7:ff:da:ec:57:14:
+ ab:0d:8d:76:8f:f0:a2:21:4f:88:54:bc:2f:c6:b9:7b:8c:da:
+ 42:9a:b1:12
+-----BEGIN CERTIFICATE-----
+MIIDYDCCAkigAwIBAgIJAPSGSqpQQmPcMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQwHhcNMTgwODI5MDI1MjM2WhcNMjgwODI2MDI1MjM2WjBF
+MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
+ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEA9OMw8AniQw6hZy4777WIHk6pBvrylIv6Twqf4FdFlSzBGB0hbchcKgWU
+C8ZJxZeIrIi6c/uBKOvhzX+d++DFDe81zBK4dAuh6WXUGTibqOHF79XxnM+K3r/6
+12z514UQ25/pA+l+8YHenfOzo28ZMci7McDnfeprApghfML1nQ18hStdgXxxdEKJ
+q1wxrBn9wgv75cKyVBVkQJy/7dKxu3X56dhns05jxD70iiyHUCfdIpfx9yZJhwNV
+CKTSRCHhmjOClgmzCGW8qDr0ZPNgYtCY2YIMG762nCLof+brINlxZyzVFIOq8Td1
+mExoHZX+H+zLmxec9JIi2rt4RvPefQIDAQABo1MwUTAdBgNVHQ4EFgQUaO2n/h42
+JhiAK8aiByMcpABXFmgwHwYDVR0jBBgwFoAUaO2n/h42JhiAK8aiByMcpABXFmgw
+DwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEA3WFig2766IobAsaf
+f/NS+ARcyTX5TB1PD59sohiV8HaT5ZlYSoh6VGjPKGSOAT/7fihvrcYIogl3TBNL
+HWhwOJHU3PfDyIE2SLkBRvn66Pe6/iNM4yepWC2mPYisuHGbhOy9gsRFHbp37XNU
+qRZ2gEALgEJHYITPQeAPjoXTKDb79oz4xiCzxAbMLW03eLTVTRTb8ARWZthazP+9
+DBltOb8mrBcMkaRoS7yGTwoQgbWsHqZ4sX/p854bMpKyj/fio65E4pmwBAoV63o3
+ELJ77zVspdsTlkLpIjxyajQWDbUsSfODx//a7FcUqw2Ndo/woiFPiFS8L8a5e4za
+QpqxEg==
+-----END CERTIFICATE-----
diff --git a/src/test/regression/tests/042.ssl_reload/server.key b/src/test/regression/tests/042.ssl_reload/server.key
new file mode 100644
index 000000000..0ddd69303
--- /dev/null
+++ b/src/test/regression/tests/042.ssl_reload/server.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA9OMw8AniQw6hZy4777WIHk6pBvrylIv6Twqf4FdFlSzBGB0h
+bchcKgWUC8ZJxZeIrIi6c/uBKOvhzX+d++DFDe81zBK4dAuh6WXUGTibqOHF79Xx
+nM+K3r/612z514UQ25/pA+l+8YHenfOzo28ZMci7McDnfeprApghfML1nQ18hStd
+gXxxdEKJq1wxrBn9wgv75cKyVBVkQJy/7dKxu3X56dhns05jxD70iiyHUCfdIpfx
+9yZJhwNVCKTSRCHhmjOClgmzCGW8qDr0ZPNgYtCY2YIMG762nCLof+brINlxZyzV
+FIOq8Td1mExoHZX+H+zLmxec9JIi2rt4RvPefQIDAQABAoIBAD6EfaraKxxJcOUh
+hYWlx3FNTZONnz5TGfzxzmz8erQhr84TKcSYIQdNU0VKQu0hyW+anFcdvxSOW6AV
+02RJNqVfC1Hk+ZgOnDA0odgqfnq34MtgyATrax2Az24N0R63Rt16zocEJjdLm2Sh
+oZu4sirmfvutrquTm+wWoH30W7XTCrd17thq8+5VBumXLW4sr40PWXcfPC1Od7JH
+utYZ0lGxr89fhuPpnpLw7V67EdslwmYl8avhzrUlzkXPqufZ33XdWFi/IXoNjMZ2
+MFgZFNKHv682nqjrrodyn4iXEzMSj4z4QLTNxoH79HWvCb2HjUpEWTNrfdu3LNCZ
+FahqHmECgYEA/5MmEEB2GNlhaMP+NMK/3x9RCfDfleqEdExf0KA6TuISNYUgeEeB
+dfczCN8WtxyDMor6fvwINxEAHX64/CompE/ya+Z25VdBQMcLpNVGS01aDdrqWN5B
+4qG8OyK3+eAjCnvyCzWsvvpK1I5u65q6+Q+Cw1wQaxYzhsZkEazQ0OkCgYEA9Ut9
+m74RMGudjkvJK7JIPLDLGEsko+yrh8IuoGn/wLpUJwmkZFQu8HRqdddMVjwQi4CN
+IDScbvyH0uE2yN+gg/BB0eBIyhfrI3xl6FJIQBnI0/7wmb2U82OT0LS18h9n8dAK
++mONcR3zL7XDe8xy1qTS0jjd1QT1QS4YLGPCxHUCgYEAowftCgT00NkqaDhOWr24
+w84oVd0P44QcRkvJ+z2atGNGFln74n5KuUOdjJUy2lAX6Q/6xzJi0y3HEwmZW1JQ
+IBTXobj8M0Q73eSbKuTZ2INZZOk3AMWW5ckiV97H2V//OlrihgARWCo1ve22GBk2
+GFaqpZB+8LDS4bCAeT3yXrECgYEA5rZ3USonLry5d2JOt5u7F+JNU+8xakErYMhC
+ZLzuQY6/oewOxBLuB1nn3CiBc0aRZTSnCFiTnkxFUBJmHe9AIXiz37wtmm9+yWSy
+0R27ORdHbiYGlQPcekP5fr7Jtw7VDHraKIHEQlWiKwix8dntVXe3luTHuRktuH2r
+XO0D/xUCgYEAlQtXyGSl/taUjKyfvfxlFDtpOwBAwUj2CsNzeUd2/5aWkqUrtYz8
+JNCPgSLPKDhLpavH0vUEmftF3uDVPxvMQ4JG9MQ7meHgL7AZmtKdU0VI+Av9xiJe
+d7A1x6o88gv1TqvGRit2qRxNOT0mzhDcXuR2EIQqUav45NyBokSo9xw=
+-----END RSA PRIVATE KEY-----
diff --git a/src/test/regression/tests/042.ssl_reload/server.req b/src/test/regression/tests/042.ssl_reload/server.req
new file mode 100644
index 000000000..fdfd5235d
--- /dev/null
+++ b/src/test/regression/tests/042.ssl_reload/server.req
@@ -0,0 +1,61 @@
+Certificate Request:
+ Data:
+ Version: 1 (0x0)
+ Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:f4:e3:30:f0:09:e2:43:0e:a1:67:2e:3b:ef:b5:
+ 88:1e:4e:a9:06:fa:f2:94:8b:fa:4f:0a:9f:e0:57:
+ 45:95:2c:c1:18:1d:21:6d:c8:5c:2a:05:94:0b:c6:
+ 49:c5:97:88:ac:88:ba:73:fb:81:28:eb:e1:cd:7f:
+ 9d:fb:e0:c5:0d:ef:35:cc:12:b8:74:0b:a1:e9:65:
+ d4:19:38:9b:a8:e1:c5:ef:d5:f1:9c:cf:8a:de:bf:
+ fa:d7:6c:f9:d7:85:10:db:9f:e9:03:e9:7e:f1:81:
+ de:9d:f3:b3:a3:6f:19:31:c8:bb:31:c0:e7:7d:ea:
+ 6b:02:98:21:7c:c2:f5:9d:0d:7c:85:2b:5d:81:7c:
+ 71:74:42:89:ab:5c:31:ac:19:fd:c2:0b:fb:e5:c2:
+ b2:54:15:64:40:9c:bf:ed:d2:b1:bb:75:f9:e9:d8:
+ 67:b3:4e:63:c4:3e:f4:8a:2c:87:50:27:dd:22:97:
+ f1:f7:26:49:87:03:55:08:a4:d2:44:21:e1:9a:33:
+ 82:96:09:b3:08:65:bc:a8:3a:f4:64:f3:60:62:d0:
+ 98:d9:82:0c:1b:be:b6:9c:22:e8:7f:e6:eb:20:d9:
+ 71:67:2c:d5:14:83:aa:f1:37:75:98:4c:68:1d:95:
+ fe:1f:ec:cb:9b:17:9c:f4:92:22:da:bb:78:46:f3:
+ de:7d
+ Exponent: 65537 (0x10001)
+ Attributes:
+ a0:00
+ Signature Algorithm: sha256WithRSAEncryption
+ 7a:30:69:6c:aa:30:6f:f3:bc:dc:85:78:04:ef:f6:0c:b2:04:
+ e7:03:55:fd:4a:98:74:d6:fd:24:a1:e9:e8:3d:e3:a1:b0:dc:
+ 12:b9:1f:38:fe:9e:42:5a:0c:06:b8:0c:f6:65:0b:78:95:73:
+ 27:31:14:e5:4d:4f:e2:82:3f:52:24:45:ba:31:e7:87:b7:c8:
+ b9:8a:db:5f:5e:fd:1a:f2:6c:7d:d6:d1:1d:19:77:5e:10:51:
+ d3:24:7f:5a:7d:3f:eb:db:33:0b:27:97:72:b9:f0:ea:89:79:
+ ca:b7:23:7c:c0:8a:e9:11:30:45:99:09:58:da:08:86:28:32:
+ 21:c0:3f:2e:87:3e:a4:96:55:f1:65:72:4f:06:0b:b3:a1:97:
+ 7d:54:6c:0d:96:b4:41:11:6e:28:45:cb:16:d7:1e:70:1e:a8:
+ a2:4e:7f:65:8e:71:e9:05:e2:ad:cc:9a:79:1d:73:39:e8:f0:
+ e8:f3:75:ab:bf:9d:44:7b:b7:76:3f:0d:50:e0:9c:ef:2c:d5:
+ eb:c3:0d:4f:c1:77:af:56:7e:78:db:e8:a0:52:05:f6:49:89:
+ ab:c0:ff:d6:97:9d:9d:84:14:12:73:ee:31:1d:12:ad:e7:91:
+ 8d:ac:ff:ee:8d:18:07:be:c8:ec:57:9d:78:41:9c:1e:a1:75:
+ 2b:99:f7:70
+-----BEGIN CERTIFICATE REQUEST-----
+MIICijCCAXICAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
+ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAPTjMPAJ4kMOoWcuO++1iB5OqQb68pSL+k8Kn+BX
+RZUswRgdIW3IXCoFlAvGScWXiKyIunP7gSjr4c1/nfvgxQ3vNcwSuHQLoell1Bk4
+m6jhxe/V8ZzPit6/+tds+deFENuf6QPpfvGB3p3zs6NvGTHIuzHA533qawKYIXzC
+9Z0NfIUrXYF8cXRCiatcMawZ/cIL++XCslQVZECcv+3Ssbt1+enYZ7NOY8Q+9Ios
+h1An3SKX8fcmSYcDVQik0kQh4ZozgpYJswhlvKg69GTzYGLQmNmCDBu+tpwi6H/m
+6yDZcWcs1RSDqvE3dZhMaB2V/h/sy5sXnPSSItq7eEbz3n0CAwEAAaAAMA0GCSqG
+SIb3DQEBCwUAA4IBAQB6MGlsqjBv87zchXgE7/YMsgTnA1X9Sph01v0koenoPeOh
+sNwSuR84/p5CWgwGuAz2ZQt4lXMnMRTlTU/igj9SJEW6MeeHt8i5ittfXv0a8mx9
+1tEdGXdeEFHTJH9afT/r2zMLJ5dyufDqiXnKtyN8wIrpETBFmQlY2giGKDIhwD8u
+hz6kllXxZXJPBguzoZd9VGwNlrRBEW4oRcsW1x5wHqiiTn9ljnHpBeKtzJp5HXM5
+6PDo83Wrv51Ee7d2Pw1Q4JzvLNXrww1PwXevVn542+igUgX2SYmrwP/Wl52dhBQS
+c+4xHRKt55GNrP/ujRgHvsjsV514QZweoXUrmfdw
+-----END CERTIFICATE REQUEST-----
diff --git a/src/test/regression/tests/042.ssl_reload/test.sh b/src/test/regression/tests/042.ssl_reload/test.sh
new file mode 100755
index 000000000..302216878
--- /dev/null
+++ b/src/test/regression/tests/042.ssl_reload/test.sh
@@ -0,0 +1,290 @@
+#!/usr/bin/env bash
+#-------------------------------------------------------------------
+# test script for SSL connection upon reloading for: frontend <--> Pgpool-II and Pgpool-II and PostgreSQL.
+#
+source $TESTLIBS
+TESTDIR=testdir
+PSQL=$PGBIN/psql
+PG_CTL=$PGBIN/pg_ctl
+export PGDATABASE=test
+SSL_KEY=server.key
+SSL_CRT=server.crt
+
+#-------------------------------------------
+# Check psql output for \conninfo to see if SSL enabled
+#-------------------------------------------
+function check_ssl {
+ $PSQL -h localhost test <<EOF > result
+\conninfo
+\q
+EOF
+
+ # PostgreSQL 18 or later prints tablular output for \conninfo.
+ # For SSL, "SSL Connection | true (or false)"
+ if [ $PGVERSION -ge 18 ];then
+ grep "SSL Connection" result|grep true
+ else
+ grep SSL result
+ fi
+}
+
+# ---------------------------------------------------------------
+# Test ssl configuration param.
+# params:
+# $1: configuration name. e.g. ssl_cert
+# $2: good value for the config
+#
+# This performs following tests:
+# 1. Set bad value to the config and restart pgpool to make sure SSL connection does not establish.
+# 2. Set good value to the config and reload to make sure SSL connection establishes.
+# If test fails, exit with status 1
+function test_ssl {
+ # set bad value
+ echo "$1 = 'bad_value'" >> etc/pgpool.conf
+ # restart pgpool
+ ./startall
+ wait_for_pgpool_startup
+ check_ssl
+ if [ $? = 0 ];then
+ echo "Checking SSL connection between frontend and Pgpool-II succeeded despite bad config value for $1"
+ ./shutdownall
+ exit 1
+ fi
+ echo "Checking SSL connection between frontend and Pgpool-II failed due to bad config value for $1 as expected."
+
+ # Make sure that SSL connection succeeds with good config value
+ echo "$1 = '$2'" >> etc/pgpool.conf
+ ./pgpool_reload
+ sleep 1
+ check_ssl
+ if [ $? = 0 ];then
+ echo "Checking SSL connection between frontend and Pgpool-II succeeded with good $1"
+ else
+ echo "Checking SSL connection between frontend and Pgpool-II failed with good $1"
+ ./shutdownall
+ exit 1
+ fi
+ ./shutdownall
+}
+
+# main script starts here
+rm -fr $TESTDIR
+mkdir $TESTDIR
+cd $TESTDIR
+
+# create test environment. Number of backend node is 1 is enough.
+echo -n "creating test environment..."
+$PGPOOL_SETUP -m s -n 1 || exit 1
+echo "done."
+
+# setup SSL key and crt file
+cp -p ../$SSL_KEY etc/
+chmod og-rwx etc/$SSL_KEY
+cp -p ../$SSL_CRT etc/
+cp -p ../$SSL_KEY data0/
+chmod og-rwx data0/$SSL_KEY
+cp -p ../$SSL_CRT data0/
+
+# enable SSL support
+dir=`pwd`
+
+echo "ssl = on" >> etc/pgpool.conf
+echo "ssl_key = '$SSL_KEY'" >> etc/pgpool.conf
+echo "ssl_cert = '$SSL_CRT'" >> etc/pgpool.conf
+echo "ssl_prefer_server_ciphers = on" >> etc/pgpool.conf
+echo "ssl_ciphers = 'EECDH:HIGH:MEDIUM:+3DES:!aNULL'" >> etc/pgpool.conf
+
+echo "ssl = on" >> data0/postgresql.conf
+echo "ssl_cert_file = '$SSL_CRT'" >> data0/postgresql.conf
+echo "ssl_key_file = '$SSL_KEY'" >> data0/postgresql.conf
+
+# backend must be connected via TCP/IP
+echo "backend_hostname0 = 'localhost'" >> etc/pgpool.conf
+
+# produce debug message since the only way to confirm the SSL
+# connections is being established is, look into the debug log.
+echo "log_min_messages = debug5" >> etc/pgpool.conf
+
+# allow to access IPv6 localhost
+echo "host all all ::1/128 trust" >> data0/pg_hba.conf
+
+source ./bashrc.ports
+
+./startall
+
+export PGPORT=$PGPOOL_PORT
+
+wait_for_pgpool_startup
+
+# first, checking frontend<-->Pgpool-II...
+check_ssl
+if [ $? != 0 ];then
+ echo "Checking SSL connection between frontend and Pgpool-II failed."
+ ./shutdownall
+ exit 1
+fi
+echo "Checking SSL connection between frontend and Pgpool-II was ok."
+
+if [ $PGVERSION -ge 18 ];then
+ grep "SSL Protocol" result|grep TLSv1.2
+else
+ grep SSL result |grep TLSv1.2
+fi
+
+# if SSl protocol version TLSv1.2
+if [ $? = 0 ];then
+ grep SSL result |grep ECDH
+
+ if [ $? != 0 ];then
+ echo "Checking SSL connection with ECDH between frontend and Pgpool-II failed."
+ ./shutdownall
+ exit 1
+ fi
+ echo "Checking SSL connection with ECDH between frontend and Pgpool-II was ok."
+fi
+
+grep "client->server SSL response: S" log/pgpool.log >/dev/null
+if [ $? != 0 ];then
+ echo "Checking SSL connection between Pgpool-II and backend failed."
+ ./shutdownall
+ exit 1
+fi
+echo "Checking SSL connection between Pgpool-II and backend was ok."
+
+# So far SSL connection between clients and Pgpool-II, Pgpool-II and backend are ok.
+
+./shutdownall
+
+# ---------------------------------------------------------------
+# Test SSL params
+
+config_names[0]=ssl_cert
+config_names[1]=ssl_ciphers
+config_names[2]=ssl_crl_file
+config_names[3]=ssl_dh_params_file # ssl_dh_params_file can be a invalid file (fallback mechanism)
+config_names[4]=ssl_ecdh_curve
+config_names[5]=ssl_key
+config_names[6]=ssl_passphrase_command # cert does not require pass passphrase
+config_names[7]=ssl_prefer_server_ciphers # this affects server side ciphers
+
+good_values[0]=server.crt
+good_values[1]=HIGH:MEDIUM:+3DES:!aNULL
+good_values[2]=""
+good_values[3]=skip
+good_values[4]=prime256v1
+good_values[5]=server.key
+good_values[6]=skip
+good_values[7]=skip
+
+for i in {0..7}
+do
+ echo "===== ${config_names[$i]} ====="
+ if [ "${good_values[$i]}" = "skip" ];then
+ echo "skip this test"
+ else
+ test_ssl ${config_names[$i]} ${good_values[$i]}
+ fi
+done
+
+# ---------------------------------------------------------------
+# Test 4: ssl_ca_cert swap – client cert rejected after CA rotation
+#
+# 1. Two independent self-signed CAs are generated (CA #1 / CA #2).
+# 2. A client certificate is signed with CA #1.
+# 3. pgpool starts trusting CA #1 with pool_hba.conf set to require
+# client-certificate authentication (cert method).
+# 4. Verify the CA1-signed client cert is accepted.
+# 5. Reload pgpool with ssl_ca_cert pointing at CA #2.
+# 6. Verify the same client cert is now rejected because its issuer
+# (CA #1) is no longer trusted.
+# ---------------------------------------------------------------
+echo "===== ssl_ca_cert swap (client cert auth reload) ====="
+
+CADIR=`pwd`/catest
+mkdir -p "$CADIR"
+
+openssl req -new -x509 -days 3650 -nodes \
+ -subj "/CN=TestCA1" \
+ -keyout "$CADIR/ca1.key" -out "$CADIR/ca1.crt" 2>/dev/null
+
+openssl req -new -x509 -days 3650 -nodes \
+ -subj "/CN=TestCA2" \
+ -keyout "$CADIR/ca2.key" -out "$CADIR/ca2.crt" 2>/dev/null
+
+openssl req -new -nodes \
+ -subj "/CN=ssltest" \
+ -keyout "$CADIR/client.key" -out "$CADIR/client.csr" 2>/dev/null
+openssl x509 -req -days 3650 \
+ -CA "$CADIR/ca1.crt" -CAkey "$CADIR/ca1.key" -CAcreateserial \
+ -in "$CADIR/client.csr" -out "$CADIR/client.crt" 2>/dev/null
+chmod 600 "$CADIR/client.key"
+
+# Generate a dedicated server CA and a new backend cert (with SAN for localhost)
+# signed by it. This CA is stable across the two reload phases so pgpool can
+# always verify the backend, while ca1/ca2 are swapped to control client-cert
+# trust. ca1.crt and ca2.crt are used only for client-certificate auth.
+openssl req -new -x509 -days 3650 -nodes \
+ -subj "/CN=TestServerCA" \
+ -keyout "$CADIR/server_ca.key" -out "$CADIR/server_ca.crt" 2>/dev/null
+
+openssl req -new -nodes \
+ -subj "/CN=localhost" \
+ -addext "subjectAltName=DNS:localhost,IP:127.0.0.1" \
+ -keyout "$CADIR/backend.key" -out "$CADIR/backend.csr" 2>/dev/null
+openssl x509 -req -days 3650 \
+ -CA "$CADIR/server_ca.crt" -CAkey "$CADIR/server_ca.key" -CAcreateserial \
+ -extfile <(echo "subjectAltName=DNS:localhost,IP:127.0.0.1") \
+ -in "$CADIR/backend.csr" -out "$CADIR/backend.crt" 2>/dev/null
+chmod 600 "$CADIR/backend.key"
+
+# Replace the static server.crt/server.key with the new CA-signed cert so that
+# both pgpool (frontend SSL) and PostgreSQL (backend SSL) use it.
+cp "$CADIR/backend.crt" etc/$SSL_CRT
+cp "$CADIR/backend.key" etc/$SSL_KEY
+chmod og-rwx etc/$SSL_KEY
+cp "$CADIR/backend.crt" data0/$SSL_CRT
+cp "$CADIR/backend.key" data0/$SSL_KEY
+chmod og-rwx data0/$SSL_KEY
+
+# CA bundles: server_ca (verifies backend) + client CA (verifies client cert).
+cat "$CADIR/server_ca.crt" "$CADIR/ca1.crt" > "$CADIR/combined_ca1.crt"
+cat "$CADIR/server_ca.crt" "$CADIR/ca2.crt" > "$CADIR/combined_ca2.crt"
+
+echo "ssl_ca_cert = '$CADIR/combined_ca1.crt'" >> etc/pgpool.conf
+echo "enable_pool_hba = on" >> etc/pgpool.conf
+cat >> etc/pool_hba.conf <<'HBA'
+hostssl all ssltest 127.0.0.1/32 cert
+hostssl all ssltest ::1/128 cert
+HBA
+
+./startall
+wait_for_pgpool_startup
+
+$PSQL -h localhost -p $PGPOOL_PORT test -c "CREATE ROLE ssltest LOGIN" 2>/dev/null ||:
+
+PGSSLMODE=require PGSSLCERT="$CADIR/client.crt" PGSSLKEY="$CADIR/client.key" \
+ PGSSLROOTCERT="$CADIR/server_ca.crt" $PSQL -h localhost -U ssltest test -c "SELECT 1" >/dev/null 2>&1
+if [ $? = 0 ]; then
+ echo "CA cert swap: CA1-signed client cert accepted before reload – ok."
+else
+ echo "CA cert swap: CA1-signed client cert rejected before reload – unexpected."
+ ./shutdownall
+ exit 1
+fi
+
+echo "ssl_ca_cert = '$CADIR/combined_ca2.crt'" >> etc/pgpool.conf
+./pgpool_reload
+sleep 1
+
+PGSSLMODE=require PGSSLCERT="$CADIR/client.crt" PGSSLKEY="$CADIR/client.key" \
+ PGSSLROOTCERT="$CADIR/server_ca.crt" $PSQL -h localhost -U ssltest test -c "SELECT 1" >/dev/null 2>&1
+if [ $? != 0 ]; then
+ echo "CA cert swap: CA1-signed client cert rejected after reload to CA2 – ok."
+else
+ echo "CA cert swap: CA1-signed client cert still accepted after CA2 reload – unexpected."
+ ./shutdownall
+ exit 1
+fi
+
+./shutdownall
+exit 0
--
2.43.0
^ permalink raw reply [nested|flat] 21+ messages in thread
* Re: Rotate SSL certificates on reload (SIGHUP) without restart
2025-10-23 05:02 Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2025-10-24 04:44 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-16 09:20 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-19 10:22 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-25 11:04 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-26 08:07 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-26 10:19 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-27 18:16 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-31 09:48 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-31 09:53 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-04-01 09:05 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-04-02 19:57 ` Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-04-13 07:28 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-04-14 08:01 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-04-15 06:36 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-04-16 10:31 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-04-16 12:25 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-04-16 22:37 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-04-17 09:50 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
@ 2026-04-17 11:06 ` Tatsuo Ishii <[email protected]>
2026-04-18 10:08 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
0 siblings, 1 reply; 21+ messages in thread
From: Tatsuo Ishii @ 2026-04-17 11:06 UTC (permalink / raw)
To: [email protected]; +Cc: [email protected]
Hi Bob,
> Hi Tatsuo,
>
> I've fixed the test failure. The issue was that the original test used the
> static self-signed server.crt as the CA bundle. When ssl_ca_cert is set,
> pgpool verifies the backend certificate against it, and the self-signed
> cert failed that check. The fix generates a dedicated server CA in the test
> and issues a backend cert signed by it, so pgpool can always verify the
> backend while ca1/ca2 are independently swapped to test client-cert trust
> rotation.
That makes sense.
> The test now passes:
>
>
>
>
>
> *CA cert swap: CA1-signed client cert accepted before reload – ok.CA cert
> swap: CA1-signed client cert rejected after reload to CA2 – ok.testing
> 042.ssl_reload...ok.out of 1 ok:1 failed:0 timeout:0*
>
> pgpool.log showing client cert accepted before reload:
>
>
>
>
> *2026-04-17 09:23:31.449: child pid 81378: DEBUG: got the SSL
> certificate2026-04-17 09:23:31.449: child pid 81378: DETAIL: Protocol
> Major: 3 Minor: 0 database: test user: ssltest2026-04-17 09:23:31.450:
> child pid 81378: DETAIL: client->server SSL response: S2026-04-17
> 09:23:31.455: child pid 81378: DETAIL: auth kind:0*
>
> SSL certificate reload completed:
>
> *2026-04-17 09:23:31.471: main pid 81347: LOG: reload SSL certificates.*
>
> pgpool.log showing client cert rejected after reload:
>
>
>
> *2026-04-17 09:23:32.485: psql pid 81385: DETAIL: SSLRequest from
> client2026-04-17 09:23:32.493: psql pid 81385: LOG: pool_ssl:
> "SSL_accept": "certificate verify failed"2026-04-17 09:23:32.493: psql pid
> 81385: ERROR: failed while reading startup packet*
>
> No changes to the core patch.
> The updated v4 is attached.
Now the test succeeded here. Many thanks. I will push the patch
tomorrow.
Regards,
--
Tatsuo Ishii
SRA OSS K.K.
English: http://www.sraoss.co.jp/index_en/
Japanese:http://www.sraoss.co.jp
^ permalink raw reply [nested|flat] 21+ messages in thread
* Re: Rotate SSL certificates on reload (SIGHUP) without restart
2025-10-23 05:02 Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2025-10-24 04:44 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-16 09:20 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-19 10:22 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-25 11:04 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-26 08:07 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-26 10:19 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-27 18:16 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-03-31 09:48 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-03-31 09:53 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-04-01 09:05 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-04-02 19:57 ` Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-04-13 07:28 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-04-14 08:01 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-04-15 06:36 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-04-16 10:31 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-04-16 12:25 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-04-16 22:37 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
2026-04-17 09:50 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2026-04-17 11:06 ` Re: Rotate SSL certificates on reload (SIGHUP) without restart Tatsuo Ishii <[email protected]>
@ 2026-04-18 10:08 ` Tatsuo Ishii <[email protected]>
0 siblings, 0 replies; 21+ messages in thread
From: Tatsuo Ishii @ 2026-04-18 10:08 UTC (permalink / raw)
To: [email protected]; +Cc: [email protected]
Hi Bob,
>> Hi Tatsuo,
>>
>> I've fixed the test failure. The issue was that the original test used the
>> static self-signed server.crt as the CA bundle. When ssl_ca_cert is set,
>> pgpool verifies the backend certificate against it, and the self-signed
>> cert failed that check. The fix generates a dedicated server CA in the test
>> and issues a backend cert signed by it, so pgpool can always verify the
>> backend while ca1/ca2 are independently swapped to test client-cert trust
>> rotation.
>
> That makes sense.
>
>> The test now passes:
>>
>>
>>
>>
>>
>> *CA cert swap: CA1-signed client cert accepted before reload – ok.CA cert
>> swap: CA1-signed client cert rejected after reload to CA2 – ok.testing
>> 042.ssl_reload...ok.out of 1 ok:1 failed:0 timeout:0*
>>
>> pgpool.log showing client cert accepted before reload:
>>
>>
>>
>>
>> *2026-04-17 09:23:31.449: child pid 81378: DEBUG: got the SSL
>> certificate2026-04-17 09:23:31.449: child pid 81378: DETAIL: Protocol
>> Major: 3 Minor: 0 database: test user: ssltest2026-04-17 09:23:31.450:
>> child pid 81378: DETAIL: client->server SSL response: S2026-04-17
>> 09:23:31.455: child pid 81378: DETAIL: auth kind:0*
>>
>> SSL certificate reload completed:
>>
>> *2026-04-17 09:23:31.471: main pid 81347: LOG: reload SSL certificates.*
>>
>> pgpool.log showing client cert rejected after reload:
>>
>>
>>
>> *2026-04-17 09:23:32.485: psql pid 81385: DETAIL: SSLRequest from
>> client2026-04-17 09:23:32.493: psql pid 81385: LOG: pool_ssl:
>> "SSL_accept": "certificate verify failed"2026-04-17 09:23:32.493: psql pid
>> 81385: ERROR: failed while reading startup packet*
>>
>> No changes to the core patch.
>> The updated v4 is attached.
>
> Now the test succeeded here. Many thanks. I will push the patch
> tomorrow.
I have pushed this to master branch along with documentation changes.
https://git.postgresql.org/gitweb/?p=pgpool2.git;a=commit;h=931a37e7f63fe514e989d427e1b0c2b7f4344c0d
Thank you!
--
Tatsuo Ishii
SRA OSS K.K.
English: http://www.sraoss.co.jp/index_en/
Japanese:http://www.sraoss.co.jp
^ permalink raw reply [nested|flat] 21+ messages in thread
end of thread, other threads:[~2026-04-18 10:08 UTC | newest]
Thread overview: 21+ messages (download: mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2025-10-23 05:02 Rotate SSL certificates on reload (SIGHUP) without restart Bob Ross <[email protected]>
2025-10-24 04:44 ` Tatsuo Ishii <[email protected]>
2026-03-16 09:20 ` Bob Ross <[email protected]>
2026-03-19 10:22 ` Tatsuo Ishii <[email protected]>
2026-03-25 11:04 ` Bob Ross <[email protected]>
2026-03-26 08:07 ` Tatsuo Ishii <[email protected]>
2026-03-26 10:19 ` Tatsuo Ishii <[email protected]>
2026-03-27 18:16 ` Bob Ross <[email protected]>
2026-03-31 09:48 ` Tatsuo Ishii <[email protected]>
2026-03-31 09:53 ` Bob Ross <[email protected]>
2026-04-01 09:05 ` Tatsuo Ishii <[email protected]>
2026-04-02 19:57 ` Bob Ross <[email protected]>
2026-04-13 07:28 ` Bob Ross <[email protected]>
2026-04-14 08:01 ` Tatsuo Ishii <[email protected]>
2026-04-15 06:36 ` Bob Ross <[email protected]>
2026-04-16 10:31 ` Tatsuo Ishii <[email protected]>
2026-04-16 12:25 ` Bob Ross <[email protected]>
2026-04-16 22:37 ` Tatsuo Ishii <[email protected]>
2026-04-17 09:50 ` Bob Ross <[email protected]>
2026-04-17 11:06 ` Tatsuo Ishii <[email protected]>
2026-04-18 10:08 ` Tatsuo Ishii <[email protected]>
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox