From de41869b64d57160f58852eab20a27f248188135 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Mon, 2 Jan 2017 21:37:12 -0500 Subject: Allow SSL configuration to be updated at SIGHUP. It is no longer necessary to restart the server to enable, disable, or reconfigure SSL. Instead, we just create a new SSL_CTX struct (by re-reading all relevant files) whenever we get SIGHUP. Testing shows that this is fast enough that it shouldn't be a problem. In conjunction with that, downgrade the logic that complains about pg_hba.conf "hostssl" lines when SSL isn't active: now that's just a warning condition not an error. An issue that still needs to be addressed is what shall we do with passphrase-protected server keys? As this stands, the server would demand the passphrase again on every SIGHUP, which is certainly impractical. But the case was only barely supported before, so that does not seem a sufficient reason to hold up committing this patch. Andreas Karlsson, reviewed by Michael Banck and Michael Paquier Discussion: https://postgr.es/m/556A6E8A.9030400@proxel.se --- src/include/libpq/libpq-be.h | 3 ++- src/include/libpq/libpq.h | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) (limited to 'src/include') diff --git a/src/include/libpq/libpq-be.h b/src/include/libpq/libpq-be.h index 66647ad003..5dac9ceb18 100644 --- a/src/include/libpq/libpq-be.h +++ b/src/include/libpq/libpq-be.h @@ -199,7 +199,8 @@ typedef struct Port * These functions are implemented by the glue code specific to each * SSL implementation (e.g. be-secure-openssl.c) */ -extern void be_tls_init(void); +extern int be_tls_init(bool failOnError); +extern void be_tls_destroy(void); extern int be_tls_open_server(Port *port); extern void be_tls_close(Port *port); extern ssize_t be_tls_read(Port *port, void *ptr, size_t len, int *waitfor); diff --git a/src/include/libpq/libpq.h b/src/include/libpq/libpq.h index 5fac8171ed..66ceb2b4a0 100644 --- a/src/include/libpq/libpq.h +++ b/src/include/libpq/libpq.h @@ -81,7 +81,7 @@ extern char *ssl_key_file; extern char *ssl_ca_file; extern char *ssl_crl_file; -extern int secure_initialize(void); +extern int secure_initialize(bool failOnError); extern bool secure_loaded_verify_locations(void); extern void secure_destroy(void); extern int secure_open_server(Port *port); -- cgit v1.2.3