[pgpool-general: 9100] Re: Is the TLS certificate revocation list loaded only on server start, or does the TLS/SSL library reload it on every connection?

[Ian van der Linde]

> I see. You are right. PostgreSQL allows to make the new CRLs usable by
> reloading postgresql.conf.

>> But at the moment PgPool does not support such a parameter.

> Correct. However if there's enough demand by reloading pgpool.conf to
> recognize the new CRLs, developers may put it on their plates. What do
> you think?

I think there's two options here - one is to make the file-level parameter
reloadable, and the other is to implement the directory-level parameter. Of
these, I think the second may be more useful, if it is implemented in the same
way as PostgreSQL. Since PG checks the directory every time a connection is
made, it obviates the need for any reloading, and means configuration
management and orchestration tools can manage the directory without concern for
having a notification mechanism to trigger a reload. 

In the long run, I think TLS connections will become more common as
organisational policies require it, and a while after implementation, people
will suddenly realise that they need revocation lists, and scrambling to
implement them. I suppose that a combination of a directory-level configuration
similar to PostgreSQL, along with more comprehensive CRL documentation both on
the PG and PgPool side would make the process a lot more straightforward. At
the moment the PG documentation just references the OpenSSL documentation for
CRLs, and the alternative is a combination of blog posts and Stack Overflow
answers, which isn't really ideal compared to comprehensive docs.

Does that seem sensible? 

Kind regards
Ian van der Linde