Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w8OAI-000U19-1F for pgpool-hackers@arkaria.postgresql.org; Thu, 02 Apr 2026 19:57:18 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1w8OAH-007wHD-0W for pgpool-hackers@arkaria.postgresql.org; Thu, 02 Apr 2026 19:57:17 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1w8OAG-007wH5-37 for pgpool-hackers@lists.postgresql.org; Thu, 02 Apr 2026 19:57:17 +0000 Received: from mail-lf1-x133.google.com ([2a00:1450:4864:20::133]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1w8OAE-00000000FoM-3W5U for pgpool-hackers@lists.postgresql.org; Thu, 02 Apr 2026 19:57:17 +0000 Received: by mail-lf1-x133.google.com with SMTP id 2adb3069b0e04-5a2b5ea59a1so1536515e87.1 for ; Thu, 02 Apr 2026 12:57:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1775159834; cv=none; d=google.com; s=arc-20240605; b=ZIy4bqFBuQ8AtZJ94Hb9J1t7wXgQkoaKa5fJF4ryNzBoMLSkqSL/LirSPwymxz7oVq eSVSVM2GBjMNVVq3JKua7VWBp70PVsLwY1KdnpvUYEX6S5UU+mqHJwiNOn3TVrKa0U0W xoY71KzHZQWChe8JyA8FpNCSK19f2rAQmAjka9f/pubOuULZ2pvNpgxLW2hVux84UHsz NumdgutAb/9SlnpSW+KcRgH6GTRyR9zhE00h31SybYae38AbAU58MJpHyWPPpkYacNRs 6nFA1DRNooheZi/SmsaoYzWFae06ZY5kjfsLmzn2YOZIUpFQkkPzuKtuBQfAiaRfQIVu rafA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:dkim-signature; bh=nRA9l0H1hnVo/1cUlhBertYhzcmR5OR17oo1qOKH90s=; fh=ezhJnRV8pHRdUaCIYchx+Ef2bTm8AeXwuFPXRypV9eM=; b=DqnOPq4/Z4kPiKVTPyU31gCmkwdN7QEXmWe05/3H/05211d4+UwCsaAIbhC3oMFZHq hRHR5MVe91y3xfoGsIxTQOeXAGSn88B8PfTkHTcjjrUfRTmwT0oiJmffx2foC045NDgp EI+4wCM2mA+ai1JaPnZCuU6wIXQ43QavvC422eQkWvdVN7uYPpXUZkD9qaB41wwpqnMn hedECeVeywuIdU17OY+85zT4UucbzFpaKuvFOgTPe4Fyl1pJ3x2XPXKE3Sopizh+l3bF snjePaXRCC6Sw+vmIbhYbUUhqs18rPxyJx/7LIFFJhvtb8eFtR7vcsMdvbJSBuqUE0mk DdBg==; darn=lists.postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1775159834; x=1775764634; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=nRA9l0H1hnVo/1cUlhBertYhzcmR5OR17oo1qOKH90s=; b=nFWcxuAdoA711DKIZ2Ok+fS/Sn79zrS0AZaFARz18lDZoOnZYK+WvyLK7wTCTTy51g eIOqYglGgW33b86sF61mncvKL0x2lUqwiT5tVs4aDIgKCR1rEtK4W5bFtf578561C76g s2CUvrNoVkEdRkHGY1gYymWHsw7HkhstMBq/WpMZ0AiyA4ItCyAz5TvuMhH7KPyEr9io 9liD0/1ajpxWv9xzgWUTBjp2l75dAuViDl+1N9kMDt74fTW+LrgLn11zaQwTycq6Au9M MiyZYk91710fWjCVKaLIw9k8r82OfCOfY6xRp41Iknu6+J3EPdUCh+6Felg1d8sjmEUp IkFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775159834; x=1775764634; h=cc:to:subject:message-id:date:from:references:in-reply-to :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=nRA9l0H1hnVo/1cUlhBertYhzcmR5OR17oo1qOKH90s=; b=hiGWr5u9KJZFlkPF7xVDU8zjDIjUSe4CN7ObTnfhcjIfYjj7UZn6UScNjIKcieIQQd yDIBJppZpkiiMxSvHutd5IMLpWH0RYYudvIVmvfq7cRypg6OqeeffPiSZe/93GXEjGyq qn6TFFGU/1XsUiS4yDHzBHW9AurfIX+pvKNWf1QxQNE7/mf8CTSiGdxjjbrgncE8iXKo PfOhxh7YntL0jB0Y/q4lt8bxuqNAtY5wvIUmujBTTkdHV/PO4qNm4sIe80CA3BbThnTs 0iV6BFGh5q7LHAm/0/FFVmgtrh4GgXKcZB3ftw0VcOCSmeCIV3HBu5NucxQqh9nC+Fjh x8Vg== X-Gm-Message-State: AOJu0Yzm/0micnnpJjyYqx7m6veM0zBKM/jaMvULzq3kAdTe6JhaRQtu nZIfg7jbkIltwSNNQZYAWyHmjMC7snew6w9v+ifq++FxFvnnUUV2myU8NlEZdDxXv3XpJUZ3x89 YZ3oDoDO06bZzLjer8eMaIz/NwrZgcO0= X-Gm-Gg: AeBDievcXl/K+KwQnWoLfuA9JmJ+h2niCONSEcheAPulMY//fXfH+hpQmq8Xdt7oXXM OObyQWOUSbkhklNSdR9pgZHQYRFPc33ZyFzwhWPZWAwg9OTVKOU29vlxlInQfS0Unw1aolGMq1P u8MWo5Ilgvgw08gVrwl/Kql+dzJR0oqU0nJOKa3iH3a14+SOngz79QJm289v1ZFWojugpJItyqi 7SEB1/HkImihrzg6CSnZOOZukpEBERKZGK5iXTqW/mm3PG9ArJ7rnciC1M5mPyvOwExK9zd0LRm jdD/Wg== X-Received: by 2002:a05:6512:3f0c:b0:5a2:c0d9:4e95 with SMTP id 2adb3069b0e04-5a33758ad44mr89710e87.39.1775159833836; Thu, 02 Apr 2026 12:57:13 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a05:6022:929b:b0:f2:edab:66b1 with HTTP; Thu, 2 Apr 2026 12:57:11 -0700 (PDT) In-Reply-To: <20260401.180542.2251969369195681939.ishii@postgresql.org> References: <20260331.184832.554536681926821839.ishii@postgresql.org> <20260401.180542.2251969369195681939.ishii@postgresql.org> From: Bob Ross Date: Thu, 2 Apr 2026 21:57:11 +0200 X-Gm-Features: AQROBzClUrcpnXIpQxNN-DAGzI78EQfIKCZKrMUaJMLdZKNlnsfWD17UnjtCJCs Message-ID: Subject: Rotate SSL certificates on reload (SIGHUP) without restart To: Tatsuo Ishii Cc: "pgpool-hackers@lists.postgresql.org" Content-Type: multipart/alternative; boundary="00000000000050c38b064e7f9be3" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --00000000000050c38b064e7f9be3 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Tatsuo, Thanks for putting together the regression tests. Thoughts on your questions: - CA Certificates - Yes, adding a cert auth test is highly recommended. We could test this by generating two different dummy CA certificates. Start pgpool trusting CA #1, swap the config to CA #2, reload and verify if client connection correctly gets rejected. - DH parameters - perhaps we can test this by providing a non-existent file path and then use grep to check pgpool.log for specific warning message (per pool_ssl.c it=E2=80=99s =E2=80=9CDH: could not load DH parameters=E2= =80=9D) when pgpool tries to load the file. Regards, Bob On Wednesday, April 1, 2026, Tatsuo Ishii wrote: > Hi Bob, > > > Hi Tatsuo, > > > > Thanks for double-checking! Please feel free to go ahead and write the > > regression tests if you're up for it. I'd really appreciate the help. > > I have written the first version of the regression test. This test > performs: > > 1. Set bad value (fixed string "bad_value") to a config param and > restart pgpool so that SSL connection does not establish between > client and pgpool. > > 2. Set good value to the config and reload pgpool so that SSL > connection establishes. > > The test is run against: > ssl_cert > ssl_ciphers > ssl_crl_file > ssl_ecdh_curve > ssl_key > > It does not test ssl_ca_cert and ssl_ca_cert_dir because the test is > based on 023.ssl_connection which does not check cert auth. Should we > test cert auth as well? > > Also this does not test followings: > > - ssl_dh_params_file > If bad value is set to the parameter, it falls back to a builtin > value. So it is not possible to set a bad value to the parameter. > Do you have an idea to test this? > > - ssl_passphrase_command > Our cert does not require pass passphrase. > > - ssl_prefer_server_ciphers > This only affects server side (backend) ciphers. The test only tests > SSL connection between client and pgpool. > > Attached is the v1 patch including your patch (I have remove "-----" > from your commit message. Otherwise the commit message cuts in the > middle) and the test script. > What do you think? > > Regards, > -- > Tatsuo Ishii > SRA OSS K.K. > English: http://www.sraoss.co.jp/index_en/ > Japanese:http://www.sraoss.co.jp > --00000000000050c38b064e7f9be3 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Tatsuo,=C2=A0

Thanks for putting together the regress= ion tests.=C2=A0

Thoughts on your questions:=C2=A0=
- CA Certificates - Yes, adding a cert auth test is highly recom= mended. We could test this by generating two different dummy CA certificate= s. Start pgpool trusting CA #1, swap the config to CA #2, reload and verify= if client connection correctly gets rejected.=C2=A0
- DH paramet= ers - perhaps we can test this by providing a non-existent file path and th= en use grep to check pgpool.log for specific warning message (per pool_ssl.= c it=E2=80=99s =E2=80=9CDH: could not load DH parameters=E2=80=9D) when pgp= ool tries to load the file.=C2=A0

Regards,
Bob


On Wednesday, April 1, 2026,= Tatsuo Ishii <ishii@postgresql.org> wrote:
Hi B= ob,

> Hi Tatsuo,
>
> Thanks for double-checking! Please feel free to go ahead and write the=
> regression tests if you're up for it. I'd really appreciate th= e help.

I have written the first version of the regression test. This test
performs:

1. Set bad value (fixed string "bad_value") to a config param and=
=C2=A0 =C2=A0restart pgpool so that SSL connection does not establish betwe= en
=C2=A0 =C2=A0client and pgpool.

2. Set good value to the config and reload pgpool so that SSL
=C2=A0 =C2=A0connection establishes.

The test is run against:
ssl_cert
ssl_ciphers
ssl_crl_file
ssl_ecdh_curve
ssl_key

It does not test ssl_ca_cert and ssl_ca_cert_dir because the test is
based on 023.ssl_connection which does not check cert auth. Should we
test cert auth as well?

Also this does not test followings:

- ssl_dh_params_file
If bad value is set to the parameter, it falls back to a builtin
value. So it is not possible to set a bad value to the parameter.
Do you have an idea to test this?

- ssl_passphrase_command
Our cert does not require pass passphrase.

- ssl_prefer_server_ciphers
This only affects server side (backend) ciphers. The test only tests
SSL connection between client and pgpool.

Attached is the v1 patch including your patch (I have remove "-----&qu= ot;
from your commit message. Otherwise the commit message cuts in the
middle)=C2=A0 and the test script.
What do you think?

Regards,
--
Tatsuo Ishii
SRA OSS K.K.
English: ht= tp://www.sraoss.co.jp/index_en/
Japanese:http://www.s= raoss.co.jp
--00000000000050c38b064e7f9be3--