Re: Passphrase protected SSL key and reloads
(moved from Hackers to docs)
On 1/5/19 4:26 PM, Joe Conway wrote:
On https://www.postgresql.org/docs/11/ssl-tcp.html it says:
"Using a passphrase also disables the ability to change the server's
SSL configuration without a server restart."But as of pg11 we have ssl_passphrase_command_supports_reload, which as
I understand it should allow this if the passphrase command is not
interactive. Per
https://www.postgresql.org/docs/11/runtime-config-connection.html#GUC-SSL-PASSPHRASE-COMMAND-SUPPORTS-RELOAD"Setting this parameter to true might be appropriate if the passphrase
is obtained from a file, for example."Am I misunderstanding, or was the former quote missed when updating the
docs for pg11?
Since I am already thinking about pgsql-docs today -- any comment on this?
Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development
Import Notes
Reply to msg id not found: 75731d49-ad04-49b0-7bf7-09c0d89c9473@joeconway.comReference msg id not found: 75731d49-ad04-49b0-7bf7-09c0d89c9473@joeconway.com
On 2019-04-24 13:22, Joe Conway wrote:
"Using a passphrase also disables the ability to change the server's
SSL configuration without a server restart."But as of pg11 we have ssl_passphrase_command_supports_reload, which as
I understand it should allow this if the passphrase command is not
interactive. Per
https://www.postgresql.org/docs/11/runtime-config-connection.html#GUC-SSL-PASSPHRASE-COMMAND-SUPPORTS-RELOAD"Setting this parameter to true might be appropriate if the passphrase
is obtained from a file, for example."Am I misunderstanding, or was the former quote missed when updating the
docs for pg11?
Right, that should be amended. I suspect the next sentence
Furthermore, passphrase-protected private keys cannot be used at all
on Windows.
is also related to this. Can someone comment on this?
--
Peter Eisentraut http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services