public inbox for [email protected]
help / color / mirror / Atom feedFrom: Bob Ross <[email protected]>
To: Tatsuo Ishii <[email protected]>
Cc: [email protected]
Subject: Re: Rotate SSL certificates on reload (SIGHUP) without restart
Date: Fri, 27 Mar 2026 19:16:12 +0100
Message-ID: <CAHtZvrfap1R6+D=KsfE1iPU6_reGaPyf=m_GryEUNrNWe0KYbg@mail.gmail.com> (raw)
In-Reply-To: <[email protected]>
References: <[email protected]>
<CAHtZvrdud7gjX9pq7ayU2VBQkCosZ7qcx6L9r-KbQkqKW_D9eQ@mail.gmail.com>
<[email protected]>
<[email protected]>
Hi Tatsuo,
I believe no additional changes are needed for healthcheck and streaming
replication check.
My patch focuses on the frontend-accept path, where SSL_ServerSide_init()
maintains a process-wide cached SSL_frontend_context reused across incoming
TLS handshakes, and therefore must be explicitly refreshed on reload.
In contrast, the health check (src/main/health_check.c) and the SR check
worker (src/streaming_replication/pool_worker_child.c) establish outgoing
connections to PostgreSQL backends via pool_ssl_negotiate_clientserver().
This invokes init_ssl_ctx() for each new connection, creating a fresh
SSL_CTX and reading SSL-related settings (ssl_cert, ssl_key, ssl_ca_cert,
etc.) directly from pool_config at connection time. There is no long-lived
SSL context to refresh in these processes.
Given that the SSL configuration parameters are now marked as CFGCXT_RELOAD
in src/config/pool_config_variables.c, a SIGHUP causes both processes to
reload pool_config via their respective reload_config() functions. As a
result, subsequent outgoing backend connections will naturally pick up the
updated certificate settings.
Please let me know what you think.
Best regards,
Bob
On Thu, Mar 26, 2026 at 11:19 AM Tatsuo Ishii <[email protected]> wrote:
> Hi Bob,
>
> > Thank you for the patch! I will look into the patch.
>
> I skimmed through the patch. You changed main.c and child.c to call
> SSL_ServerSide_init() so that they reload new SSL parameters. However,
> in Pgpool-II there are two more places which could use SSL connection
> to PostgreSQL server: health check and streaming replication check. I
> suspect they need to call SSL_ServerSide_init() while reloading the
> config file. What do you think?
>
> Regards,
> --
> Tatsuo Ishii
> SRA OSS K.K.
> English: http://www.sraoss.co.jp/index_en/
> Japanese:http://www.sraoss.co.jp
>
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: Rotate SSL certificates on reload (SIGHUP) without restart
In-Reply-To: <CAHtZvrfap1R6+D=KsfE1iPU6_reGaPyf=m_GryEUNrNWe0KYbg@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox