[pgpool-general: 9099] Re: Is the TLS certificate revocation list loaded only on server start, or does the TLS/SSL library reload it on every connection?

[Tatsuo Ishii]

> Thanks for the quick response, Tatsuo.
> 
>>From the docs my assumption was that a full restart is only needed if the filename of the CRL needs to change, but it's useful to know that it's required even if the contents of the file itself changes.
> 
> In case it is of interest - PostgreSQL's ssl_crl_dir allows for changes while the server is running (and for ssl_crl_file a reload is sufficient):
> 
> ssl_crl_dir (string)
> 
> Specifies the name of the directory containing the SSL client certificate revocation list (CRL). Relative paths are relative to the data directory. This parameter can only be set in the postgresql.conf file or on the server command line. The default is empty, meaning no CRLs are used (unless ssl_crl_file<https://www.postgresql.org/docs/current/runtime-config-connection.html#GUC-SSL-CRL-FILE> is set).
> 
> The directory needs to be prepared with the OpenSSL command openssl rehash or c_rehash. See its documentation for details.
> 
> When using this setting, CRLs in the specified directory are loaded on-demand at connection time. New CRLs can be added to the directory and will be used immediately. This is unlike ssl_crl_file<https://www.postgresql.org/docs/current/runtime-config-connection.html#GUC-SSL-CRL-FILE>, which causes the CRL in the file to be loaded at server start time or when the configuration is reloaded. Both settings can be used together.

I see. You are right. PostgreSQL allows to make the new CRLs usable by
reloading postgresql.conf.

> But at the moment PgPool does not support such a parameter.

Correct. However if there's enough demand by reloading pgpool.conf to
recognize the new CRLs, developers may put it on their plates. What do
you think?
--
Tatsuo Ishii
SRA OSS LLC
English: http://www.sraoss.co.jp/index_en/
Japanese:http://www.sraoss.co.jp