Participants
Andrej Podzimek
Andrej Podzimek
Alvaro Herrera
Alvaro Herrera
Bruce Momjian
Bruce Momjian
Attachments
Show all attachments
Thread Outline
#1Andrej PodzimekAndrej Podzimek
Dec 25, 2008
#2Alvaro HerreraAlvaro Herrerato Andrej Podzimek (#1)
Dec 27, 2008
#3Bruce MomjianBruce Momjianto Alvaro Herrera (#2)
Jan 21, 2009

Automatic CRL reload

Started by Andrej Podzimekover 17 years ago3 messagesgeneral
Jump to latest
#1Andrej Podzimek
Andrej Podzimek
andrej@podzimek.org

Hello,

this is just a small wish / feature request.

The Apache httpd project dealt with a similar issue just a few months ago: https://issues.apache.org/bugzilla/show_bug.cgi?id=14104 There's exactly the same problem in PostgreSQL. The documentation says:

"The files server.key, server.crt, root.crt, and root.crl are only examined during server start; so you must restart the server for changes in them to take effect." (http://www.postgresql.org/docs/8.3/static/ssl-tcp.html)

This is perfectly fine for server.key, server.crt and root.crt. These files change quite rarely. However, root.crl usually chages once a month (which is the default in OpenSSL) or even more often when necessary. Restarting the server once a month is not an ideal solution.

With an expired CRL, SSL connections are refused without proper error messages. This is confusing. Despite the fact that root.crl is up-to-date and clients are configured properly, you will get this error message when the old CRL in memory expires:

Dec 25 05:37:41 charon postgres[28210]: [4-1] LOG: could not accept SSL connection: no certificate returned

It might be better to say something like "I can't validate the certificate with an expired CRL."

Presumably, pg_ctl restart fixed this problem.

It would be great if PostgreSQL could reload the CRL when necessary, just like Apache httpd does. Could this be appended to the 8.4 wishlist, please?

Best regards,

Andrej Podzimek

#2Alvaro Herrera
Alvaro Herrera
alvherre@2ndquadrant.com
In reply to: Andrej Podzimek (#1)
Re: Automatic CRL reload

Andrej Podzimek wrote:

"The files server.key, server.crt, root.crt, and root.crl are only
examined during server start; so you must restart the server for
changes in them to take effect."
(http://www.postgresql.org/docs/8.3/static/ssl-tcp.html)

This is perfectly fine for server.key, server.crt and root.crt. These
files change quite rarely. However, root.crl usually chages once a
month (which is the default in OpenSSL) or even more often when
necessary.

I think the right solution here is to reload the CRL file on SIGHUP
(reload). Whoever changes the CRL file should send a signal.

I've had that on my TODO list for a while.

--
Alvaro Herrera http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.

#3Bruce Momjian
Bruce Momjian
bruce@momjian.us
In reply to: Alvaro Herrera (#2)
Re: Automatic CRL reload

Alvaro Herrera wrote:

Andrej Podzimek wrote:

"The files server.key, server.crt, root.crt, and root.crl are only
examined during server start; so you must restart the server for
changes in them to take effect."
(http://www.postgresql.org/docs/8.3/static/ssl-tcp.html)

This is perfectly fine for server.key, server.crt and root.crt. These
files change quite rarely. However, root.crl usually chages once a
month (which is the default in OpenSSL) or even more often when
necessary.

I think the right solution here is to reload the CRL file on SIGHUP
(reload). Whoever changes the CRL file should send a signal.

I've had that on my TODO list for a while.

Added to TODO:

Allow SSL CRL files to be re-read during configuration file reload,
rather than requiring a server restart

Unlike SSL CRT files, CRL (Certificate Revocation List) files are
updated frequently

* http://archives.postgresql.org/pgsql-general/2008-12/msg00832.php

--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +

← Back to Topics