From de41869b64d57160f58852eab20a27f248188135 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Mon, 2 Jan 2017 21:37:12 -0500 Subject: Allow SSL configuration to be updated at SIGHUP. It is no longer necessary to restart the server to enable, disable, or reconfigure SSL. Instead, we just create a new SSL_CTX struct (by re-reading all relevant files) whenever we get SIGHUP. Testing shows that this is fast enough that it shouldn't be a problem. In conjunction with that, downgrade the logic that complains about pg_hba.conf "hostssl" lines when SSL isn't active: now that's just a warning condition not an error. An issue that still needs to be addressed is what shall we do with passphrase-protected server keys? As this stands, the server would demand the passphrase again on every SIGHUP, which is certainly impractical. But the case was only barely supported before, so that does not seem a sufficient reason to hold up committing this patch. Andreas Karlsson, reviewed by Michael Banck and Michael Paquier Discussion: https://postgr.es/m/556A6E8A.9030400@proxel.se --- doc/src/sgml/client-auth.sgml | 4 ++- doc/src/sgml/config.sgml | 84 +++++++++++++++++++++++++------------------ doc/src/sgml/runtime.sgml | 19 +++++++--- 3 files changed, 66 insertions(+), 41 deletions(-) (limited to 'doc/src') diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml index 960f5b5871f..dda58919004 100644 --- a/doc/src/sgml/client-auth.sgml +++ b/doc/src/sgml/client-auth.sgml @@ -156,9 +156,11 @@ hostnossl database user To make use of this option the server must be built with SSL support. Furthermore, - SSL must be enabled at server start time + SSL must be enabled by setting the configuration parameter (see for more information). + Otherwise, the hostssl record is ignored except for + logging a warning that it cannot match any connections. diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml index 8d7b3bfd663..30dd54cd5d4 100644 --- a/doc/src/sgml/config.sgml +++ b/doc/src/sgml/config.sgml @@ -958,10 +958,10 @@ include_dir 'conf.d' Enables SSL connections. Please read - before using this. The default - is off. This parameter can only be set at server - start. SSL communication is only possible with - TCP/IP connections. + before using this. + This parameter can only be set in the postgresql.conf + file or on the server command line. + The default is off. @@ -975,11 +975,16 @@ include_dir 'conf.d' Specifies the name of the file containing the SSL server certificate - authority (CA). The default is empty, meaning no CA file is loaded, - and client certificate verification is not performed. (In previous - releases of PostgreSQL, the name of this file was hard-coded - as root.crt.) Relative paths are relative to the - data directory. This parameter can only be set at server start. + authority (CA). + Relative paths are relative to the data directory. + This parameter can only be set in the postgresql.conf + file or on the server command line. + The default is empty, meaning no CA file is loaded, + and client certificate verification is not performed. + + + In previous releases of PostgreSQL, the name of this file was + hard-coded as root.crt. @@ -993,9 +998,10 @@ include_dir 'conf.d' Specifies the name of the file containing the SSL server certificate. - The default is server.crt. Relative paths are - relative to the data directory. This parameter can only be set at - server start. + Relative paths are relative to the data directory. + This parameter can only be set in the postgresql.conf + file or on the server command line. + The default is server.crt. @@ -1009,11 +1015,15 @@ include_dir 'conf.d' Specifies the name of the file containing the SSL server certificate - revocation list (CRL). The default is empty, meaning no CRL file is - loaded. (In previous releases of PostgreSQL, the name of this file was - hard-coded as root.crl.) Relative paths are - relative to the data directory. This parameter can only be set at - server start. + revocation list (CRL). + Relative paths are relative to the data directory. + This parameter can only be set in the postgresql.conf + file or on the server command line. + The default is empty, meaning no CRL file is loaded. + + + In previous releases of PostgreSQL, the name of this file was + hard-coded as root.crl. @@ -1027,9 +1037,10 @@ include_dir 'conf.d' Specifies the name of the file containing the SSL server private key. - The default is server.key. Relative paths are - relative to the data directory. This parameter can only be set at - server start. + Relative paths are relative to the data directory. + This parameter can only be set in the postgresql.conf + file or on the server command line. + The default is server.key. @@ -1046,10 +1057,12 @@ include_dir 'conf.d' used on secure connections. See the ciphers manual page in the OpenSSL package for the syntax of this setting - and a list of supported values. The default value is - HIGH:MEDIUM:+3DES:!aNULL. It is usually reasonable, - unless you have specific security requirements. This parameter can only - be set at server start. + and a list of supported values. + This parameter can only be set in the postgresql.conf + file or on the server command line. + The default value is HIGH:MEDIUM:+3DES:!aNULL. The + default is usually a reasonable choice unless you have specific + security requirements. @@ -1113,7 +1126,7 @@ include_dir 'conf.d' - ssl_prefer_server_ciphers (bool) + ssl_prefer_server_ciphers (boolean) ssl_prefer_server_ciphers configuration parameter @@ -1121,8 +1134,10 @@ include_dir 'conf.d' Specifies whether to use the server's SSL cipher preferences, rather - than the client's. The default is true. This parameter can only be - set at server start. + than the client's. + This parameter can only be set in the postgresql.conf + file or on the server command line. + The default is true. @@ -1145,19 +1160,18 @@ include_dir 'conf.d' Specifies the name of the curve to use in ECDH key exchange. It needs to be supported by all clients that connect. - It does not need to be same curve as used by server's Elliptic - Curve key. The default is prime256v1. This parameter - can only be set at server start. + It does not need to be the same curve used by the server's Elliptic + Curve key. + This parameter can only be set in the postgresql.conf + file or on the server command line. + The default is prime256v1. - OpenSSL names for most common curves: + OpenSSL names for the most common curves are: prime256v1 (NIST P-256), secp384r1 (NIST P-384), secp521r1 (NIST P-521). - - - The full list of available curves can be shown with the command openssl ecparam -list_curves. Not all of them are usable in TLS though. @@ -3003,7 +3017,7 @@ include_dir 'conf.d' - track_commit_timestamp (bool) + track_commit_timestamp (boolean) track_commit_timestamp configuration parameter diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml index 787cfce9878..65c7809332e 100644 --- a/doc/src/sgml/runtime.sgml +++ b/doc/src/sgml/runtime.sgml @@ -2285,11 +2285,20 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433 - The files server.key, server.crt, - root.crt, and root.crl - (or their configured alternative names) - are only examined during server start; so you must restart - the server for changes in them to take effect. + The server reads these files at server start and whenever the server + configuration is reloaded. On Windows + systems, they are also re-read whenever a new backend process is spawned + for a new client connection. + + + + If an error in these files is detected at server start, the server will + refuse to start. But if an error is detected during a configuration + reload, the files are ignored and the old values continue to be used. + On Windows systems, if an error in these + files is detected at backend start, that backend will be unable to + establish an SSL connection. In all these cases, the error condition is + reported in the server log. -- cgit v1.2.3