diff options
| author | Tom Lane | 2017-01-03 02:37:12 +0000 |
|---|---|---|
| committer | Tom Lane | 2017-01-03 02:37:12 +0000 |
| commit | de41869b64d57160f58852eab20a27f248188135 (patch) | |
| tree | a4d81157d9126c76d042d093ee7a4a08a37181aa /src/backend/postmaster | |
| parent | 1d63f7d2d180c8708bc12710254eb7b45823440f (diff) | |
Allow SSL configuration to be updated at SIGHUP.
It is no longer necessary to restart the server to enable, disable,
or reconfigure SSL. Instead, we just create a new SSL_CTX struct
(by re-reading all relevant files) whenever we get SIGHUP. Testing
shows that this is fast enough that it shouldn't be a problem.
In conjunction with that, downgrade the logic that complains about
pg_hba.conf "hostssl" lines when SSL isn't active: now that's just
a warning condition not an error.
An issue that still needs to be addressed is what shall we do with
passphrase-protected server keys? As this stands, the server would
demand the passphrase again on every SIGHUP, which is certainly
impractical. But the case was only barely supported before, so that
does not seem a sufficient reason to hold up committing this patch.
Andreas Karlsson, reviewed by Michael Banck and Michael Paquier
Discussion: https://postgr.es/m/556A6E8A.9030400@proxel.se
Diffstat (limited to 'src/backend/postmaster')
| -rw-r--r-- | src/backend/postmaster/postmaster.c | 45 |
1 files changed, 40 insertions, 5 deletions
diff --git a/src/backend/postmaster/postmaster.c b/src/backend/postmaster/postmaster.c index 535f6c4e5a0..02e6bb9dbdc 100644 --- a/src/backend/postmaster/postmaster.c +++ b/src/backend/postmaster/postmaster.c @@ -368,6 +368,11 @@ static unsigned int random_seed = 0; static struct timeval random_start_time; #endif +#ifdef USE_SSL +/* Set when and if SSL has been initialized properly */ +static bool LoadedSSL = false; +#endif + #ifdef USE_BONJOUR static DNSServiceRef bonjour_sdref = NULL; #endif @@ -930,7 +935,10 @@ PostmasterMain(int argc, char *argv[]) */ #ifdef USE_SSL if (EnableSSL) - secure_initialize(); + { + (void) secure_initialize(true); + LoadedSSL = true; + } #endif /* @@ -1961,7 +1969,7 @@ ProcessStartupPacket(Port *port, bool SSLdone) #ifdef USE_SSL /* No SSL when disabled or on Unix sockets */ - if (!EnableSSL || IS_AF_UNIX(port->laddr.addr.ss_family)) + if (!LoadedSSL || IS_AF_UNIX(port->laddr.addr.ss_family)) SSLok = 'N'; else SSLok = 'S'; /* Support for SSL */ @@ -2498,13 +2506,30 @@ SIGHUP_handler(SIGNAL_ARGS) /* Reload authentication config files too */ if (!load_hba()) - ereport(WARNING, + ereport(LOG, (errmsg("pg_hba.conf not reloaded"))); if (!load_ident()) - ereport(WARNING, + ereport(LOG, (errmsg("pg_ident.conf not reloaded"))); +#ifdef USE_SSL + /* Reload SSL configuration as well */ + if (EnableSSL) + { + if (secure_initialize(false) == 0) + LoadedSSL = true; + else + ereport(LOG, + (errmsg("SSL context not reloaded"))); + } + else + { + secure_destroy(); + LoadedSSL = false; + } +#endif + #ifdef EXEC_BACKEND /* Update the starting-point file for future children */ write_nondefault_variables(PGC_SIGHUP); @@ -4733,12 +4758,22 @@ SubPostmasterMain(int argc, char *argv[]) * context structures contain function pointers and cannot be passed * through the parameter file. * + * If for some reason reload fails (maybe the user installed broken + * key files), soldier on without SSL; that's better than all + * connections becoming impossible. + * * XXX should we do this in all child processes? For the moment it's * enough to do it in backend children. */ #ifdef USE_SSL if (EnableSSL) - secure_initialize(); + { + if (secure_initialize(false) == 0) + LoadedSSL = true; + else + ereport(LOG, + (errmsg("SSL context could not be reloaded in child process"))); + } #endif /* |