Hello,
this is just a small wish / feature request.
The Apache httpd project dealt with a similar issue just a few months ago:
https://issues.apache.org/bugzilla/show_bug.cgi?id=14104 There's exactly the
same problem in PostgreSQL. The documentation says:
"The files server.key, server.crt, root.crt, and root.crl are only examined during
server start; so you must restart the server for changes in them to take effect."
(http://www.postgresql.org/docs/8.3/static/ssl-tcp.html)
This is perfectly fine for server.key, server.crt and root.crt. These files
change quite rarely. However, root.crl usually chages once a month (which is
the default in OpenSSL) or even more often when necessary. Restarting the
server once a month is not an ideal solution.
With an expired CRL, SSL connections are refused without proper error messages.
This is confusing. Despite the fact that root.crl is up-to-date and clients are
configured properly, you will get this error message when the old CRL in memory
expires:
Dec 25 05:37:41 charon postgres[28210]: [4-1] LOG: could not accept SSL connection: no certificate returned
It might be better to say something like "I can't validate the certificate with an
expired CRL."
Presumably, pg_ctl restart fixed this problem.
It would be great if PostgreSQL could reload the CRL when necessary, just like
Apache httpd does. Could this be appended to the 8.4 wishlist, please?
Best regards,
Andrej Podzimek
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
