| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Alvaro Herrera <alvherre(at)commandprompt(dot)com> |
| Cc: | Andrej Podzimek <andrej(at)podzimek(dot)org>, pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Automatic CRL reload |
| Date: | 2009-01-21 23:49:06 |
| Message-ID: | 200901212349.n0LNn6j16801@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Alvaro Herrera wrote:
> Andrej Podzimek wrote:
>
> > "The files server.key, server.crt, root.crt, and root.crl are only
> > examined during server start; so you must restart the server for
> > changes in them to take effect."
> > (http://www.postgresql.org/docs/8.3/static/ssl-tcp.html)
> >
> > This is perfectly fine for server.key, server.crt and root.crt. These
> > files change quite rarely. However, root.crl usually chages once a
> > month (which is the default in OpenSSL) or even more often when
> > necessary.
>
> I think the right solution here is to reload the CRL file on SIGHUP
> (reload). Whoever changes the CRL file should send a signal.
>
> I've had that on my TODO list for a while.
Added to TODO:
Allow SSL CRL files to be re-read during configuration file reload,
rather than requiring a server restart
Unlike SSL CRT files, CRL (Certificate Revocation List) files are
updated frequently
* http://archives.postgresql.org/pgsql-general/2008-12/msg00832.php
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2009-01-22 01:10:32 | Re: encoding of PostgreSQL messages |
| Previous Message | Igor Katson | 2009-01-21 23:33:02 | A complex plproxy query |