From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | Andres Freund <andres(at)2ndquadrant(dot)com> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Robert Haas <robertmhaas(at)gmail(dot)com>, Alexey Klyukin <alexk(at)hintbits(dot)com>, PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: re-reading SSL certificates during server reload |
Date: | 2014-08-28 14:21:26 |
Message-ID: | CABUevEzpZx534tjH==92truM01A=ZwD60Jk7+BnU2_V--U3sOQ@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Thu, Aug 28, 2014 at 4:14 PM, Andres Freund <andres(at)2ndquadrant(dot)com> wrote:
> On 2014-08-28 10:12:19 -0400, Tom Lane wrote:
>> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>> > On Thu, Aug 28, 2014 at 4:05 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> >> Why would they need to be BACKEND, as opposed to just PGC_SIGHUP?
>>
>> > I just thought semantically - because they do not change in a running
>> > backend. Any running backend will continue with encryption set up
>> > based on the old certificate.
>>
>> Hm. Yeah, I guess there is some use in holding onto the values that were
>> actually used to initialize the current session, or at least there would
>> be if we exposed the cert contents in any fashion.
>
> Won't that allow the option to be specified at connection start by mere
> mortal users? That sounds odd to me.
The cert is (and has to be) loaded before we even read the startup
packet, so there is no way for them to actually send the value over
early enough I believe.
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
From | Date | Subject | |
---|---|---|---|
Next Message | Amit Kapila | 2014-08-28 14:23:22 | Re: Audit of logout |
Previous Message | Tom Lane | 2014-08-28 14:20:08 | Re: re-reading SSL certificates during server reload |