public inbox for [email protected]
help / color / mirror / Atom feedFrom: Bob Ross <[email protected]>
To: Tatsuo Ishii <[email protected]>
Cc: [email protected]
Subject: Re: Rotate SSL certificates on reload (SIGHUP) without restart
Date: Wed, 15 Apr 2026 08:36:06 +0200
Message-ID: <CAHtZvrdhAbVSh2yhSwk0qeHmnL+Sr0LPvjrA+2inKF6WNh7azw@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<CAHtZvrfTR=1vbry_HBg5rmWgO1O22ryjqt9tvNd5oT7NjX-vEA@mail.gmail.com>
<CAHtZvrcnFHgLatJQrsGH0-Tupb4vY+dZ3jiBcK5uRgJ1AbGEAg@mail.gmail.com>
<[email protected]>
Hi Tatsuo,
Please see attached v2. It adds regression coverage for SSL cert reload
with client certificate authentication; there are no functional code
changes.
Best regards,
Bob
On Tue, Apr 14, 2026 at 10:02 AM Tatsuo Ishii <[email protected]> wrote:
> Hi Bob,
>
> > Hi Tatsuo,
> >
> > Please let me know if you need any assistance with updating your test
> > cases. I am be happy to help.
> >
> > Thanks,
> > Bob
>
> Sorry for late. I was busy with personal affairs and some other
> projects.
>
> > On Thu, Apr 2, 2026 at 9:57 PM Bob Ross <[email protected]>
> wrote:
> >
> >> Hi Tatsuo,
> >>
> >> Thanks for putting together the regression tests.
> >>
> >> Thoughts on your questions:
> >> - CA Certificates - Yes, adding a cert auth test is highly recommended.
> We
> >> could test this by generating two different dummy CA certificates. Start
> >> pgpool trusting CA #1, swap the config to CA #2, reload and verify if
> >> client connection correctly gets rejected.
>
> If you could extend the test file I posted so that it performs a cert
> auth test, that would be helpful.
>
> >> - DH parameters - perhaps we can test this by providing a non-existent
> >> file path and then use grep to check pgpool.log for specific warning
> >> message (per pool_ssl.c it’s “DH: could not load DH parameters”) when
> >> pgpool tries to load the file.
>
> I think it will not work.
>
> ===================================================================
> static bool
> initialize_dh(SSL_CTX *context)
> {
> DH *dh = NULL;
>
> SSL_CTX_set_options(context, SSL_OP_SINGLE_DH_USE);
>
> if (pool_config->ssl_dh_params_file[0])
> dh = load_dh_file(pool_config->ssl_dh_params_file);
> if (!dh)
> dh = load_dh_buffer(FILE_DH2048, sizeof(FILE_DH2048));
> if (!dh)
> {
> ereport(WARNING,
> (errmsg("DH: could not load DH
> parameters")));
> return false;
> }
> :
> :
> ===================================================================
>
> The ereport message is printed when the built-in DH parameter file is
> broken. But as long as the source file is fine, it would never happen.
>
> Maybe we should fix the code above so that it emits ereport when it
> fails to load the DH parameter file specified by ssl_dh_params_file?
>
> Regards,
> --
> Tatsuo Ishii
> SRA OSS K.K.
> English: http://www.sraoss.co.jp/index_en/
> Japanese:http://www.sraoss.co.jp
>
Attachments:
[application/octet-stream] v2-0001-Feature-reload-SSL-certificates-on-SIGHUP-without.patch (26.9K, 3-v2-0001-Feature-reload-SSL-certificates-on-SIGHUP-without.patch)
download | inline diff:
From c97fc6e9d4acb3f5071e473db3b34577f2498d59 Mon Sep 17 00:00:00 2001
From: Bob Ross <[email protected]>
Date: Wed, 15 Apr 2026 00:00:00 +0000
Subject: [PATCH v2] Feature: reload SSL certificates on SIGHUP without restart
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Allow Pgpool-II to pick up rotated TLS certificates (and any change to
SSL-related configuration) when receiving SIGHUP (i.e. systemctl reload
pgpool2), matching the behavior PostgreSQL has had since PostgreSQL 12.
Problem:
All SSL configuration parameters (ssl_cert, ssl_key, ssl_ca_cert,
ssl_ciphers, etc.) were declared CFGCXT_INIT, meaning they were silently
ignored when pool_get_config() was called under CFGCXT_RELOAD.
Furthermore, SSL_ServerSide_init() was only called once at startup in
main.c and never again, so the in-memory SSL_CTX was never refreshed.
Fix:
1. src/main/pgpool_main.c
- Include utils/pool_ssl.h.
- In reload_config(), call SSL_ServerSide_init() (guarded by
#ifdef USE_SSL) *before* kill_all_children(SIGHUP). The function
already replaces SSL_frontend_context atomically: it frees the old
SSL_CTX only after a new one has been created successfully, so a
failed reload leaves the existing context intact.
2. src/protocol/child.c
- In check_config_reload(), call SSL_ServerSide_init() (guarded by
#ifdef USE_SSL) so each worker child also refreshes its own copy of
the SSL context for subsequent new connections. In-flight TLS
sessions are unaffected because they hold a direct reference to the
SSL object, not to SSL_frontend_context.
3. src/config/pool_config_variables.c
- Change CFGCXT_INIT -> CFGCXT_RELOAD for:
ssl_prefer_server_ciphers, ssl_cert, ssl_key, ssl_ca_cert,
ssl_ca_cert_dir, ssl_crl_file, ssl_ciphers, ssl_ecdh_curve,
ssl_dh_params_file, ssl_passphrase_command.
- The 'ssl' boolean (master enable flag) is intentionally left as
CFGCXT_INIT because dynamically enabling SSL at runtime is a
larger, separate concern.
Usage after this change:
Standard in-place certificate rotation (cert-manager, ACME, manual
openssl refresh at the same path):
# replace /etc/pgpool/server.{crt,key} with new files
systemctl reload pgpool2
# or: pgpool -f /etc/pgpool/pgpool.conf reload
New connections will use the new certificates after workers process
the reload signal. Existing connections are not interrupted.
Switching to a different certificate path also works: update
pgpool.conf then reload — the new paths are now accepted in
CFGCXT_RELOAD context.
Author: Bob Ross <[email protected]>
Reviewed-by: Tatsuo Ishii <[email protected]>
Discussion: https://www.postgresql.org/message-id/flat/CAHtZvrddqfbnERYY_DqgURWCjuXeTjM0y08k-ZP_B0bAHYx2ag%40mail.gmail.com
---
src/config/pool_config_variables.c | 20 +-
src/main/pgpool_main.c | 17 ++
src/protocol/child.c | 11 +
.../regression/tests/042.ssl_reload/README | 6 +
.../tests/042.ssl_reload/server.crt | 79 ++++++++
.../tests/042.ssl_reload/server.key | 27 +++
.../tests/042.ssl_reload/server.req | 61 ++++++
.../regression/tests/042.ssl_reload/test.sh | 257 ++++++++++++++++++++++++
8 files changed, 400 insertions(+), 10 deletions(-)
create mode 100644 src/test/regression/tests/042.ssl_reload/README
create mode 100644 src/test/regression/tests/042.ssl_reload/server.crt
create mode 100644 src/test/regression/tests/042.ssl_reload/server.key
create mode 100644 src/test/regression/tests/042.ssl_reload/server.req
create mode 100755 src/test/regression/tests/042.ssl_reload/test.sh
diff --git a/src/config/pool_config_variables.c b/src/config/pool_config_variables.c
index ce13c42f6..ca40c341a 100644
--- a/src/config/pool_config_variables.c
+++ b/src/config/pool_config_variables.c
@@ -705,7 +705,7 @@ static struct config_bool ConfigureNamesBool[] =
},
{
- {"ssl_prefer_server_ciphers", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_prefer_server_ciphers", CFGCXT_RELOAD, SSL_CONFIG,
"Use server's SSL cipher preferences, rather than the client's",
CONFIG_VAR_TYPE_BOOL, false, 0
},
@@ -1271,7 +1271,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_cert", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_cert", CFGCXT_RELOAD, SSL_CONFIG,
"SSL public certificate file.",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1281,7 +1281,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_key", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_key", CFGCXT_RELOAD, SSL_CONFIG,
"SSL private key file.",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1291,7 +1291,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_ca_cert", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_ca_cert", CFGCXT_RELOAD, SSL_CONFIG,
"Single PEM format file containing CA root certificate(s).",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1301,7 +1301,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_ca_cert_dir", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_ca_cert_dir", CFGCXT_RELOAD, SSL_CONFIG,
"Directory containing CA root certificate(s).",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1311,7 +1311,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_crl_file", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_crl_file", CFGCXT_RELOAD, SSL_CONFIG,
"SSL certificate revocation list file",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1321,7 +1321,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_ciphers", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_ciphers", CFGCXT_RELOAD, SSL_CONFIG,
"Allowed SSL ciphers.",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1331,7 +1331,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_ecdh_curve", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_ecdh_curve", CFGCXT_RELOAD, SSL_CONFIG,
"The curve to use in ECDH key exchange.",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1341,7 +1341,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_dh_params_file", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_dh_params_file", CFGCXT_RELOAD, SSL_CONFIG,
"Path to the Diffie-Hellman parameters contained file",
CONFIG_VAR_TYPE_STRING, false, 0
},
@@ -1351,7 +1351,7 @@ static struct config_string ConfigureNamesString[] =
},
{
- {"ssl_passphrase_command", CFGCXT_INIT, SSL_CONFIG,
+ {"ssl_passphrase_command", CFGCXT_RELOAD, SSL_CONFIG,
"Path to the Diffie-Hellman parameters contained file",
CONFIG_VAR_TYPE_STRING, false, 0
},
diff --git a/src/main/pgpool_main.c b/src/main/pgpool_main.c
index bf7c452e2..0a9c92826 100644
--- a/src/main/pgpool_main.c
+++ b/src/main/pgpool_main.c
@@ -61,6 +61,7 @@
#include "watchdog/wd_lifecheck.h"
#include "watchdog/watchdog.h"
#include "pcp/pcp_worker.h"
+#include "utils/pool_ssl.h"
#include <grp.h>
/*
@@ -3489,6 +3490,22 @@ reload_config(void)
if (pool_config->enable_pool_hba)
load_hba(hba_file);
+#ifdef USE_SSL
+ /*
+ * If SSL is enabled, re-initialize the SSL context so that new
+ * connections pick up rotated certificates without requiring a restart.
+ * SSL_ServerSide_init() is safe to call repeatedly: it frees and replaces
+ * the existing SSL_CTX only on success, leaving the old context intact on
+ * failure.
+ */
+ if (pool_config->ssl)
+ {
+ ereport(LOG,
+ (errmsg("reload SSL certificates.")));
+ SSL_ServerSide_init();
+ }
+#endif /* USE_SSL */
+
kill_all_children(SIGHUP);
}
diff --git a/src/protocol/child.c b/src/protocol/child.c
index c34f05728..713bfe28f 100644
--- a/src/protocol/child.c
+++ b/src/protocol/child.c
@@ -1796,6 +1796,17 @@ check_config_reload(void)
if (strcmp("", pool_config->pool_passwd))
pool_reopen_passwd_file();
+#ifdef USE_SSL
+ /*
+ * Re-initialize the frontend SSL context so this child process
+ * serves new connections with any rotated certificates without a
+ * restart. In-flight TLS sessions are unaffected; they hold a
+ * direct reference to the old SSL object.
+ */
+ if (pool_config->ssl)
+ SSL_ServerSide_init();
+#endif /* USE_SSL */
+
got_sighup = 0;
}
}
diff --git a/src/test/regression/tests/042.ssl_reload/README b/src/test/regression/tests/042.ssl_reload/README
new file mode 100644
index 000000000..c73cf0bd3
--- /dev/null
+++ b/src/test/regression/tests/042.ssl_reload/README
@@ -0,0 +1,6 @@
+The sample server.key and server.crt was created by using following commands:
+
+openssl req -new -text -out server.req
+openssl rsa -in privkey.pem -out server.key
+rm privkey.pem
+openssl req -x509 -days 3650 -in server.req -text -key server.key -out server.crt
diff --git a/src/test/regression/tests/042.ssl_reload/server.crt b/src/test/regression/tests/042.ssl_reload/server.crt
new file mode 100644
index 000000000..90d5e08e7
--- /dev/null
+++ b/src/test/regression/tests/042.ssl_reload/server.crt
@@ -0,0 +1,79 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number:
+ f4:86:4a:aa:50:42:63:dc
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
+ Validity
+ Not Before: Aug 29 02:52:36 2018 GMT
+ Not After : Aug 26 02:52:36 2028 GMT
+ Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:f4:e3:30:f0:09:e2:43:0e:a1:67:2e:3b:ef:b5:
+ 88:1e:4e:a9:06:fa:f2:94:8b:fa:4f:0a:9f:e0:57:
+ 45:95:2c:c1:18:1d:21:6d:c8:5c:2a:05:94:0b:c6:
+ 49:c5:97:88:ac:88:ba:73:fb:81:28:eb:e1:cd:7f:
+ 9d:fb:e0:c5:0d:ef:35:cc:12:b8:74:0b:a1:e9:65:
+ d4:19:38:9b:a8:e1:c5:ef:d5:f1:9c:cf:8a:de:bf:
+ fa:d7:6c:f9:d7:85:10:db:9f:e9:03:e9:7e:f1:81:
+ de:9d:f3:b3:a3:6f:19:31:c8:bb:31:c0:e7:7d:ea:
+ 6b:02:98:21:7c:c2:f5:9d:0d:7c:85:2b:5d:81:7c:
+ 71:74:42:89:ab:5c:31:ac:19:fd:c2:0b:fb:e5:c2:
+ b2:54:15:64:40:9c:bf:ed:d2:b1:bb:75:f9:e9:d8:
+ 67:b3:4e:63:c4:3e:f4:8a:2c:87:50:27:dd:22:97:
+ f1:f7:26:49:87:03:55:08:a4:d2:44:21:e1:9a:33:
+ 82:96:09:b3:08:65:bc:a8:3a:f4:64:f3:60:62:d0:
+ 98:d9:82:0c:1b:be:b6:9c:22:e8:7f:e6:eb:20:d9:
+ 71:67:2c:d5:14:83:aa:f1:37:75:98:4c:68:1d:95:
+ fe:1f:ec:cb:9b:17:9c:f4:92:22:da:bb:78:46:f3:
+ de:7d
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Subject Key Identifier:
+ 68:ED:A7:FE:1E:36:26:18:80:2B:C6:A2:07:23:1C:A4:00:57:16:68
+ X509v3 Authority Key Identifier:
+ keyid:68:ED:A7:FE:1E:36:26:18:80:2B:C6:A2:07:23:1C:A4:00:57:16:68
+
+ X509v3 Basic Constraints: critical
+ CA:TRUE
+ Signature Algorithm: sha256WithRSAEncryption
+ dd:61:62:83:6e:fa:e8:8a:1b:02:c6:9f:7f:f3:52:f8:04:5c:
+ c9:35:f9:4c:1d:4f:0f:9f:6c:a2:18:95:f0:76:93:e5:99:58:
+ 4a:88:7a:54:68:cf:28:64:8e:01:3f:fb:7e:28:6f:ad:c6:08:
+ a2:09:77:4c:13:4b:1d:68:70:38:91:d4:dc:f7:c3:c8:81:36:
+ 48:b9:01:46:f9:fa:e8:f7:ba:fe:23:4c:e3:27:a9:58:2d:a6:
+ 3d:88:ac:b8:71:9b:84:ec:bd:82:c4:45:1d:ba:77:ed:73:54:
+ a9:16:76:80:40:0b:80:42:47:60:84:cf:41:e0:0f:8e:85:d3:
+ 28:36:fb:f6:8c:f8:c6:20:b3:c4:06:cc:2d:6d:37:78:b4:d5:
+ 4d:14:db:f0:04:56:66:d8:5a:cc:ff:bd:0c:19:6d:39:bf:26:
+ ac:17:0c:91:a4:68:4b:bc:86:4f:0a:10:81:b5:ac:1e:a6:78:
+ b1:7f:e9:f3:9e:1b:32:92:b2:8f:f7:e2:a3:ae:44:e2:99:b0:
+ 04:0a:15:eb:7a:37:10:b2:7b:ef:35:6c:a5:db:13:96:42:e9:
+ 22:3c:72:6a:34:16:0d:b5:2c:49:f3:83:c7:ff:da:ec:57:14:
+ ab:0d:8d:76:8f:f0:a2:21:4f:88:54:bc:2f:c6:b9:7b:8c:da:
+ 42:9a:b1:12
+-----BEGIN CERTIFICATE-----
+MIIDYDCCAkigAwIBAgIJAPSGSqpQQmPcMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQwHhcNMTgwODI5MDI1MjM2WhcNMjgwODI2MDI1MjM2WjBF
+MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
+ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEA9OMw8AniQw6hZy4777WIHk6pBvrylIv6Twqf4FdFlSzBGB0hbchcKgWU
+C8ZJxZeIrIi6c/uBKOvhzX+d++DFDe81zBK4dAuh6WXUGTibqOHF79XxnM+K3r/6
+12z514UQ25/pA+l+8YHenfOzo28ZMci7McDnfeprApghfML1nQ18hStdgXxxdEKJ
+q1wxrBn9wgv75cKyVBVkQJy/7dKxu3X56dhns05jxD70iiyHUCfdIpfx9yZJhwNV
+CKTSRCHhmjOClgmzCGW8qDr0ZPNgYtCY2YIMG762nCLof+brINlxZyzVFIOq8Td1
+mExoHZX+H+zLmxec9JIi2rt4RvPefQIDAQABo1MwUTAdBgNVHQ4EFgQUaO2n/h42
+JhiAK8aiByMcpABXFmgwHwYDVR0jBBgwFoAUaO2n/h42JhiAK8aiByMcpABXFmgw
+DwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEA3WFig2766IobAsaf
+f/NS+ARcyTX5TB1PD59sohiV8HaT5ZlYSoh6VGjPKGSOAT/7fihvrcYIogl3TBNL
+HWhwOJHU3PfDyIE2SLkBRvn66Pe6/iNM4yepWC2mPYisuHGbhOy9gsRFHbp37XNU
+qRZ2gEALgEJHYITPQeAPjoXTKDb79oz4xiCzxAbMLW03eLTVTRTb8ARWZthazP+9
+DBltOb8mrBcMkaRoS7yGTwoQgbWsHqZ4sX/p854bMpKyj/fio65E4pmwBAoV63o3
+ELJ77zVspdsTlkLpIjxyajQWDbUsSfODx//a7FcUqw2Ndo/woiFPiFS8L8a5e4za
+QpqxEg==
+-----END CERTIFICATE-----
diff --git a/src/test/regression/tests/042.ssl_reload/server.key b/src/test/regression/tests/042.ssl_reload/server.key
new file mode 100644
index 000000000..0ddd69303
--- /dev/null
+++ b/src/test/regression/tests/042.ssl_reload/server.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA9OMw8AniQw6hZy4777WIHk6pBvrylIv6Twqf4FdFlSzBGB0h
+bchcKgWUC8ZJxZeIrIi6c/uBKOvhzX+d++DFDe81zBK4dAuh6WXUGTibqOHF79Xx
+nM+K3r/612z514UQ25/pA+l+8YHenfOzo28ZMci7McDnfeprApghfML1nQ18hStd
+gXxxdEKJq1wxrBn9wgv75cKyVBVkQJy/7dKxu3X56dhns05jxD70iiyHUCfdIpfx
+9yZJhwNVCKTSRCHhmjOClgmzCGW8qDr0ZPNgYtCY2YIMG762nCLof+brINlxZyzV
+FIOq8Td1mExoHZX+H+zLmxec9JIi2rt4RvPefQIDAQABAoIBAD6EfaraKxxJcOUh
+hYWlx3FNTZONnz5TGfzxzmz8erQhr84TKcSYIQdNU0VKQu0hyW+anFcdvxSOW6AV
+02RJNqVfC1Hk+ZgOnDA0odgqfnq34MtgyATrax2Az24N0R63Rt16zocEJjdLm2Sh
+oZu4sirmfvutrquTm+wWoH30W7XTCrd17thq8+5VBumXLW4sr40PWXcfPC1Od7JH
+utYZ0lGxr89fhuPpnpLw7V67EdslwmYl8avhzrUlzkXPqufZ33XdWFi/IXoNjMZ2
+MFgZFNKHv682nqjrrodyn4iXEzMSj4z4QLTNxoH79HWvCb2HjUpEWTNrfdu3LNCZ
+FahqHmECgYEA/5MmEEB2GNlhaMP+NMK/3x9RCfDfleqEdExf0KA6TuISNYUgeEeB
+dfczCN8WtxyDMor6fvwINxEAHX64/CompE/ya+Z25VdBQMcLpNVGS01aDdrqWN5B
+4qG8OyK3+eAjCnvyCzWsvvpK1I5u65q6+Q+Cw1wQaxYzhsZkEazQ0OkCgYEA9Ut9
+m74RMGudjkvJK7JIPLDLGEsko+yrh8IuoGn/wLpUJwmkZFQu8HRqdddMVjwQi4CN
+IDScbvyH0uE2yN+gg/BB0eBIyhfrI3xl6FJIQBnI0/7wmb2U82OT0LS18h9n8dAK
++mONcR3zL7XDe8xy1qTS0jjd1QT1QS4YLGPCxHUCgYEAowftCgT00NkqaDhOWr24
+w84oVd0P44QcRkvJ+z2atGNGFln74n5KuUOdjJUy2lAX6Q/6xzJi0y3HEwmZW1JQ
+IBTXobj8M0Q73eSbKuTZ2INZZOk3AMWW5ckiV97H2V//OlrihgARWCo1ve22GBk2
+GFaqpZB+8LDS4bCAeT3yXrECgYEA5rZ3USonLry5d2JOt5u7F+JNU+8xakErYMhC
+ZLzuQY6/oewOxBLuB1nn3CiBc0aRZTSnCFiTnkxFUBJmHe9AIXiz37wtmm9+yWSy
+0R27ORdHbiYGlQPcekP5fr7Jtw7VDHraKIHEQlWiKwix8dntVXe3luTHuRktuH2r
+XO0D/xUCgYEAlQtXyGSl/taUjKyfvfxlFDtpOwBAwUj2CsNzeUd2/5aWkqUrtYz8
+JNCPgSLPKDhLpavH0vUEmftF3uDVPxvMQ4JG9MQ7meHgL7AZmtKdU0VI+Av9xiJe
+d7A1x6o88gv1TqvGRit2qRxNOT0mzhDcXuR2EIQqUav45NyBokSo9xw=
+-----END RSA PRIVATE KEY-----
diff --git a/src/test/regression/tests/042.ssl_reload/server.req b/src/test/regression/tests/042.ssl_reload/server.req
new file mode 100644
index 000000000..fdfd5235d
--- /dev/null
+++ b/src/test/regression/tests/042.ssl_reload/server.req
@@ -0,0 +1,61 @@
+Certificate Request:
+ Data:
+ Version: 1 (0x0)
+ Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:f4:e3:30:f0:09:e2:43:0e:a1:67:2e:3b:ef:b5:
+ 88:1e:4e:a9:06:fa:f2:94:8b:fa:4f:0a:9f:e0:57:
+ 45:95:2c:c1:18:1d:21:6d:c8:5c:2a:05:94:0b:c6:
+ 49:c5:97:88:ac:88:ba:73:fb:81:28:eb:e1:cd:7f:
+ 9d:fb:e0:c5:0d:ef:35:cc:12:b8:74:0b:a1:e9:65:
+ d4:19:38:9b:a8:e1:c5:ef:d5:f1:9c:cf:8a:de:bf:
+ fa:d7:6c:f9:d7:85:10:db:9f:e9:03:e9:7e:f1:81:
+ de:9d:f3:b3:a3:6f:19:31:c8:bb:31:c0:e7:7d:ea:
+ 6b:02:98:21:7c:c2:f5:9d:0d:7c:85:2b:5d:81:7c:
+ 71:74:42:89:ab:5c:31:ac:19:fd:c2:0b:fb:e5:c2:
+ b2:54:15:64:40:9c:bf:ed:d2:b1:bb:75:f9:e9:d8:
+ 67:b3:4e:63:c4:3e:f4:8a:2c:87:50:27:dd:22:97:
+ f1:f7:26:49:87:03:55:08:a4:d2:44:21:e1:9a:33:
+ 82:96:09:b3:08:65:bc:a8:3a:f4:64:f3:60:62:d0:
+ 98:d9:82:0c:1b:be:b6:9c:22:e8:7f:e6:eb:20:d9:
+ 71:67:2c:d5:14:83:aa:f1:37:75:98:4c:68:1d:95:
+ fe:1f:ec:cb:9b:17:9c:f4:92:22:da:bb:78:46:f3:
+ de:7d
+ Exponent: 65537 (0x10001)
+ Attributes:
+ a0:00
+ Signature Algorithm: sha256WithRSAEncryption
+ 7a:30:69:6c:aa:30:6f:f3:bc:dc:85:78:04:ef:f6:0c:b2:04:
+ e7:03:55:fd:4a:98:74:d6:fd:24:a1:e9:e8:3d:e3:a1:b0:dc:
+ 12:b9:1f:38:fe:9e:42:5a:0c:06:b8:0c:f6:65:0b:78:95:73:
+ 27:31:14:e5:4d:4f:e2:82:3f:52:24:45:ba:31:e7:87:b7:c8:
+ b9:8a:db:5f:5e:fd:1a:f2:6c:7d:d6:d1:1d:19:77:5e:10:51:
+ d3:24:7f:5a:7d:3f:eb:db:33:0b:27:97:72:b9:f0:ea:89:79:
+ ca:b7:23:7c:c0:8a:e9:11:30:45:99:09:58:da:08:86:28:32:
+ 21:c0:3f:2e:87:3e:a4:96:55:f1:65:72:4f:06:0b:b3:a1:97:
+ 7d:54:6c:0d:96:b4:41:11:6e:28:45:cb:16:d7:1e:70:1e:a8:
+ a2:4e:7f:65:8e:71:e9:05:e2:ad:cc:9a:79:1d:73:39:e8:f0:
+ e8:f3:75:ab:bf:9d:44:7b:b7:76:3f:0d:50:e0:9c:ef:2c:d5:
+ eb:c3:0d:4f:c1:77:af:56:7e:78:db:e8:a0:52:05:f6:49:89:
+ ab:c0:ff:d6:97:9d:9d:84:14:12:73:ee:31:1d:12:ad:e7:91:
+ 8d:ac:ff:ee:8d:18:07:be:c8:ec:57:9d:78:41:9c:1e:a1:75:
+ 2b:99:f7:70
+-----BEGIN CERTIFICATE REQUEST-----
+MIICijCCAXICAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
+ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBAPTjMPAJ4kMOoWcuO++1iB5OqQb68pSL+k8Kn+BX
+RZUswRgdIW3IXCoFlAvGScWXiKyIunP7gSjr4c1/nfvgxQ3vNcwSuHQLoell1Bk4
+m6jhxe/V8ZzPit6/+tds+deFENuf6QPpfvGB3p3zs6NvGTHIuzHA533qawKYIXzC
+9Z0NfIUrXYF8cXRCiatcMawZ/cIL++XCslQVZECcv+3Ssbt1+enYZ7NOY8Q+9Ios
+h1An3SKX8fcmSYcDVQik0kQh4ZozgpYJswhlvKg69GTzYGLQmNmCDBu+tpwi6H/m
+6yDZcWcs1RSDqvE3dZhMaB2V/h/sy5sXnPSSItq7eEbz3n0CAwEAAaAAMA0GCSqG
+SIb3DQEBCwUAA4IBAQB6MGlsqjBv87zchXgE7/YMsgTnA1X9Sph01v0koenoPeOh
+sNwSuR84/p5CWgwGuAz2ZQt4lXMnMRTlTU/igj9SJEW6MeeHt8i5ittfXv0a8mx9
+1tEdGXdeEFHTJH9afT/r2zMLJ5dyufDqiXnKtyN8wIrpETBFmQlY2giGKDIhwD8u
+hz6kllXxZXJPBguzoZd9VGwNlrRBEW4oRcsW1x5wHqiiTn9ljnHpBeKtzJp5HXM5
+6PDo83Wrv51Ee7d2Pw1Q4JzvLNXrww1PwXevVn542+igUgX2SYmrwP/Wl52dhBQS
+c+4xHRKt55GNrP/ujRgHvsjsV514QZweoXUrmfdw
+-----END CERTIFICATE REQUEST-----
diff --git a/src/test/regression/tests/042.ssl_reload/test.sh b/src/test/regression/tests/042.ssl_reload/test.sh
new file mode 100755
index 000000000..302216878
--- /dev/null
+++ b/src/test/regression/tests/042.ssl_reload/test.sh
@@ -0,0 +1,257 @@
+#!/usr/bin/env bash
+#-------------------------------------------------------------------
+# test script for SSL connection upon reloading for: frontend <--> Pgpool-II and Pgpool-II and PostgreSQL.
+#
+source $TESTLIBS
+TESTDIR=testdir
+PSQL=$PGBIN/psql
+PG_CTL=$PGBIN/pg_ctl
+export PGDATABASE=test
+SSL_KEY=server.key
+SSL_CRT=server.crt
+
+#-------------------------------------------
+# Check psql output for \conninfo to see if SSL enabled
+#-------------------------------------------
+function check_ssl {
+ $PSQL -h localhost test <<EOF > result
+\conninfo
+\q
+EOF
+
+ # PostgreSQL 18 or later prints tablular output for \conninfo.
+ # For SSL, "SSL Connection | true (or false)"
+ if [ $PGVERSION -ge 18 ];then
+ grep "SSL Connection" result|grep true
+ else
+ grep SSL result
+ fi
+}
+
+# ---------------------------------------------------------------
+# Test ssl configuration param.
+# params:
+# $1: configuration name. e.g. ssl_cert
+# $2: good value for the config
+#
+# This performs following tests:
+# 1. Set bad value to the config and restart pgpool to make sure SSL connection does not establish.
+# 2. Set good value to the config and reload to make sure SSL connection establishes.
+# If test fails, exit with status 1
+function test_ssl {
+ # set bad value
+ echo "$1 = 'bad_value'" >> etc/pgpool.conf
+ # restart pgpool
+ ./startall
+ wait_for_pgpool_startup
+ check_ssl
+ if [ $? = 0 ];then
+ echo "Checking SSL connection between frontend and Pgpool-II succeeded despite bad config value for $1"
+ ./shutdownall
+ exit 1
+ fi
+ echo "Checking SSL connection between frontend and Pgpool-II failed due to bad config value for $1 as expected."
+
+ # Make sure that SSL connection succeeds with good config value
+ echo "$1 = '$2'" >> etc/pgpool.conf
+ ./pgpool_reload
+ sleep 1
+ check_ssl
+ if [ $? = 0 ];then
+ echo "Checking SSL connection between frontend and Pgpool-II succeeded with good $1"
+ else
+ echo "Checking SSL connection between frontend and Pgpool-II failed with good $1"
+ ./shutdownall
+ exit 1
+ fi
+ ./shutdownall
+}
+
+# main script starts here
+rm -fr $TESTDIR
+mkdir $TESTDIR
+cd $TESTDIR
+
+# create test environment. Number of backend node is 1 is enough.
+echo -n "creating test environment..."
+$PGPOOL_SETUP -m s -n 1 || exit 1
+echo "done."
+
+# setup SSL key and crt file
+cp -p ../$SSL_KEY etc/
+chmod og-rwx etc/$SSL_KEY
+cp -p ../$SSL_CRT etc/
+cp -p ../$SSL_KEY data0/
+chmod og-rwx data0/$SSL_KEY
+cp -p ../$SSL_CRT data0/
+
+# enable SSL support
+dir=`pwd`
+
+echo "ssl = on" >> etc/pgpool.conf
+echo "ssl_key = '$SSL_KEY'" >> etc/pgpool.conf
+echo "ssl_cert = '$SSL_CRT'" >> etc/pgpool.conf
+echo "ssl_prefer_server_ciphers = on" >> etc/pgpool.conf
+echo "ssl_ciphers = 'EECDH:HIGH:MEDIUM:+3DES:!aNULL'" >> etc/pgpool.conf
+
+echo "ssl = on" >> data0/postgresql.conf
+echo "ssl_cert_file = '$SSL_CRT'" >> data0/postgresql.conf
+echo "ssl_key_file = '$SSL_KEY'" >> data0/postgresql.conf
+
+# backend must be connected via TCP/IP
+echo "backend_hostname0 = 'localhost'" >> etc/pgpool.conf
+
+# produce debug message since the only way to confirm the SSL
+# connections is being established is, look into the debug log.
+echo "log_min_messages = debug5" >> etc/pgpool.conf
+
+# allow to access IPv6 localhost
+echo "host all all ::1/128 trust" >> data0/pg_hba.conf
+
+source ./bashrc.ports
+
+./startall
+
+export PGPORT=$PGPOOL_PORT
+
+wait_for_pgpool_startup
+
+# first, checking frontend<-->Pgpool-II...
+check_ssl
+if [ $? != 0 ];then
+ echo "Checking SSL connection between frontend and Pgpool-II failed."
+ ./shutdownall
+ exit 1
+fi
+echo "Checking SSL connection between frontend and Pgpool-II was ok."
+
+if [ $PGVERSION -ge 18 ];then
+ grep "SSL Protocol" result|grep TLSv1.2
+else
+ grep SSL result |grep TLSv1.2
+fi
+
+# if SSl protocol version TLSv1.2
+if [ $? = 0 ];then
+ grep SSL result |grep ECDH
+
+ if [ $? != 0 ];then
+ echo "Checking SSL connection with ECDH between frontend and Pgpool-II failed."
+ ./shutdownall
+ exit 1
+ fi
+ echo "Checking SSL connection with ECDH between frontend and Pgpool-II was ok."
+fi
+
+grep "client->server SSL response: S" log/pgpool.log >/dev/null
+if [ $? != 0 ];then
+ echo "Checking SSL connection between Pgpool-II and backend failed."
+ ./shutdownall
+ exit 1
+fi
+echo "Checking SSL connection between Pgpool-II and backend was ok."
+
+# So far SSL connection between clients and Pgpool-II, Pgpool-II and backend are ok.
+
+./shutdownall
+
+# ---------------------------------------------------------------
+# Test SSL params
+
+config_names[0]=ssl_cert
+config_names[1]=ssl_ciphers
+config_names[2]=ssl_crl_file
+config_names[3]=ssl_dh_params_file # ssl_dh_params_file can be a invalid file (fallback mechanism)
+config_names[4]=ssl_ecdh_curve
+config_names[5]=ssl_key
+config_names[6]=ssl_passphrase_command # cert does not require pass passphrase
+config_names[7]=ssl_prefer_server_ciphers # this affects server side ciphers
+
+good_values[0]=server.crt
+good_values[1]=HIGH:MEDIUM:+3DES:!aNULL
+good_values[2]=""
+good_values[3]=skip
+good_values[4]=prime256v1
+good_values[5]=server.key
+good_values[6]=skip
+good_values[7]=skip
+
+for i in {0..7}
+do
+ echo "===== ${config_names[$i]} ====="
+ if [ "${good_values[$i]}" = "skip" ];then
+ echo "skip this test"
+ else
+ test_ssl ${config_names[$i]} ${good_values[$i]}
+ fi
+done
+
+# ---------------------------------------------------------------
+# Test 4: ssl_ca_cert swap – client cert rejected after CA rotation
+#
+# 1. Two independent self-signed CAs are generated (CA #1 / CA #2).
+# 2. A client certificate is signed with CA #1.
+# 3. pgpool starts trusting CA #1 with pool_hba.conf set to require
+# client-certificate authentication (cert method).
+# 4. Verify the CA1-signed client cert is accepted.
+# 5. Reload pgpool with ssl_ca_cert pointing at CA #2.
+# 6. Verify the same client cert is now rejected because its issuer
+# (CA #1) is no longer trusted.
+# ---------------------------------------------------------------
+echo "===== ssl_ca_cert swap (client cert auth reload) ====="
+
+CADIR=`pwd`/catest
+mkdir -p "$CADIR"
+
+openssl req -new -x509 -days 3650 -nodes \
+ -subj "/CN=TestCA1" \
+ -keyout "$CADIR/ca1.key" -out "$CADIR/ca1.crt" 2>/dev/null
+
+openssl req -new -x509 -days 3650 -nodes \
+ -subj "/CN=TestCA2" \
+ -keyout "$CADIR/ca2.key" -out "$CADIR/ca2.crt" 2>/dev/null
+
+openssl req -new -nodes \
+ -subj "/CN=ssltest" \
+ -keyout "$CADIR/client.key" -out "$CADIR/client.csr" 2>/dev/null
+openssl x509 -req -days 3650 \
+ -CA "$CADIR/ca1.crt" -CAkey "$CADIR/ca1.key" -CAcreateserial \
+ -in "$CADIR/client.csr" -out "$CADIR/client.crt" 2>/dev/null
+chmod 600 "$CADIR/client.key"
+
+echo "ssl_ca_cert = '$CADIR/ca1.crt'" >> etc/pgpool.conf
+echo "enable_pool_hba = on" >> etc/pgpool.conf
+cat >> etc/pool_hba.conf <<'HBA'
+hostssl all ssltest 127.0.0.1/32 cert
+hostssl all ssltest ::1/128 cert
+HBA
+
+./startall
+wait_for_pgpool_startup
+
+$PSQL -h localhost -p $PGPOOL_PORT test -c "CREATE ROLE ssltest LOGIN" 2>/dev/null ||:
+
+PGSSLMODE=require PGSSLCERT="$CADIR/client.crt" PGSSLKEY="$CADIR/client.key" \
+ PGSSLROOTCERT="$CADIR/ca1.crt" $PSQL -h localhost -U ssltest test -c "SELECT 1" >/dev/null 2>&1
+if [ $? = 0 ]; then
+ echo "CA cert swap: CA1-signed client cert accepted before reload – ok."
+else
+ echo "CA cert swap: CA1-signed client cert rejected before reload – unexpected."
+ ./shutdownall
+ exit 1
+fi
+
+echo "ssl_ca_cert = '$CADIR/ca2.crt'" >> etc/pgpool.conf
+./pgpool_reload
+sleep 1
+
+PGSSLMODE=require PGSSLCERT="$CADIR/client.crt" PGSSLKEY="$CADIR/client.key" \
+ PGSSLROOTCERT="$CADIR/ca1.crt" $PSQL -h localhost -U ssltest test -c "SELECT 1" >/dev/null 2>&1
+if [ $? != 0 ]; then
+ echo "CA cert swap: CA1-signed client cert rejected after reload to CA2 – ok."
+else
+ echo "CA cert swap: CA1-signed client cert still accepted after CA2 reload – unexpected."
+ ./shutdownall
+ exit 1
+fi
+
+./shutdownall
+exit 0
--
2.43.0
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: Rotate SSL certificates on reload (SIGHUP) without restart
In-Reply-To: <CAHtZvrdhAbVSh2yhSwk0qeHmnL+Sr0LPvjrA+2inKF6WNh7azw@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox