[pgpool-general: 9098] Re: Is the TLS certificate revocation list loaded only on server start, or does the TLS/SSL library reload it on every connection?

Tue May 7 19:41:55 JST 2024

Thanks for the quick response, Tatsuo.

>From the docs my assumption was that a full restart is only needed if the filename of the CRL needs to change, but it's useful to know that it's required even if the contents of the file itself changes.

In case it is of interest - PostgreSQL's ssl_crl_dir allows for changes while the server is running (and for ssl_crl_file a reload is sufficient):

ssl_crl_dir (string)

Specifies the name of the directory containing the SSL client certificate revocation list (CRL). Relative paths are relative to the data directory. This parameter can only be set in the postgresql.conf file or on the server command line. The default is empty, meaning no CRLs are used (unless ssl_crl_file<https://www.postgresql.org/docs/current/runtime-config-connection.html#GUC-SSL-CRL-FILE> is set).

The directory needs to be prepared with the OpenSSL command openssl rehash or c_rehash. See its documentation for details.

When using this setting, CRLs in the specified directory are loaded on-demand at connection time. New CRLs can be added to the directory and will be used immediately. This is unlike ssl_crl_file<https://www.postgresql.org/docs/current/runtime-config-connection.html#GUC-SSL-CRL-FILE>, which causes the CRL in the file to be loaded at server start time or when the configuration is reloaded. Both settings can be used together.

But at the moment PgPool does not support such a parameter.

Kind regards
Ian
________________________________
From: Tatsuo Ishii <ishii at sraoss.co.jp>
Sent: 07 May 2024 11:25
To: Ian van der Linde <ian at ivdl.co.za>
Cc: pgpool-general at pgpool.net <pgpool-general at pgpool.net>
Subject: Re: [pgpool-general: 9096] Is the TLS certificate revocation list loaded only on server start, or does the TLS/SSL library reload it on every connection?

> Good day
>
> PgPool supports setting an ssl_crl_file parameter to configure a certificate revocation list. Let's assume that's been set up, and PgPool has been restarted to load the file. If the file is changed to revoke another certificate, will that automatically be picked up by the running PgPool the next time a client connects, or does PgPool need to be restarted every time a certificate is added to the CRL? If so, is a simple configuration reload sufficient, or does it have to be a full restart?

You need a full restart as mentioned in the docs. Note that
PostgreSQL's ssl_crl_file needs a server restart if it is changed.

Best reagards,
--
Tatsuo Ishii
SRA OSS LLC
English: http://www.sraoss.co.jp/index_en/
Japanese:http://www.sraoss.co.jp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.pgpool.net/pipermail/pgpool-general/attachments/20240507/d16e81d4/attachment.htm>