From: | Andreas Karlsson <andreas(at)proxel(dot)se> |
---|---|
To: | Stephen Frost <sfrost(at)snowman(dot)net> |
Cc: | Magnus Hagander <magnus(at)hagander(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, Michael Paquier <michael(dot)paquier(at)gmail(dot)com>, Michael Banck <michael(dot)banck(at)credativ(dot)de>, Peter Geoghegan <pg(at)heroku(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: [PATCH] Reload SSL certificates on SIGHUP |
Date: | 2017-01-04 15:17:49 |
Message-ID: | 1254e97b-a65a-5a63-e938-810507a16d71@proxel.se |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On 01/04/2017 04:14 PM, Stephen Frost wrote:
> * Andreas Karlsson (andreas(at)proxel(dot)se) wrote:
>> A possible solution might be to only add the error throwing hook
>> when loading certificates during SIGHUP (and at Windows) and to work
>> as before on startup. Would that be an acceptable solution? I could
>> write a patch for this if people are interested.
>
> I'm not sure I see how that's a solution..? Wouldn't that mean that a
> SIGHUP with an encrypted key would result in a failure?
>
> The solution, at least in my view, seems to be to say "sorry, we can't
> reload the SSL stuff if you used a passphrase to unlock the key on
> startup, you will have to perform a restart if you want the SSL bits to
> be changed."
Sorry, I was very unclear. I meant refusing the reload the SSL context
if there is a pass phrase, but that the rest of the config will be
reloaded just fine. This will lead to some log spam on every SIGHUP for
people with a pass phrase but should otherwise work as before.
Andreas
From | Date | Subject | |
---|---|---|---|
Next Message | Stephen Frost | 2017-01-04 15:18:50 | Re: [PATCH] Reload SSL certificates on SIGHUP |
Previous Message | Tom Lane | 2017-01-04 15:17:23 | Re: [PATCH] Reload SSL certificates on SIGHUP |