[pgpool-general: 9100] Re: Is the TLS certificate revocation list loaded only on server start, or does the TLS/SSL library reload it on every connection?
Ian van der Linde
ian at ivdl.co.za
Wed May 8 16:36:28 JST 2024
> I see. You are right. PostgreSQL allows to make the new CRLs usable by
> reloading postgresql.conf.
>> But at the moment PgPool does not support such a parameter.
> Correct. However if there's enough demand by reloading pgpool.conf to
> recognize the new CRLs, developers may put it on their plates. What do
> you think?
I think there's two options here - one is to make the file-level parameter
reloadable, and the other is to implement the directory-level parameter. Of
these, I think the second may be more useful, if it is implemented in the same
way as PostgreSQL. Since PG checks the directory every time a connection is
made, it obviates the need for any reloading, and means configuration
management and orchestration tools can manage the directory without concern for
having a notification mechanism to trigger a reload.
In the long run, I think TLS connections will become more common as
organisational policies require it, and a while after implementation, people
will suddenly realise that they need revocation lists, and scrambling to
implement them. I suppose that a combination of a directory-level configuration
similar to PostgreSQL, along with more comprehensive CRL documentation both on
the PG and PgPool side would make the process a lot more straightforward. At
the moment the PG documentation just references the OpenSSL documentation for
CRLs, and the alternative is a combination of blog posts and Stack Overflow
answers, which isn't really ideal compared to comprehensive docs.
Does that seem sensible?
Kind regards
Ian van der Linde
More information about the pgpool-general
mailing list