database/postgres
1
0
Fork 0
mirror of https://github.com/postgres/postgres.git synced 2025-07-27 12:41:57 +03:00
Code Activity

Allow SSL configuration to be updated at SIGHUP.

Browse Source 
It is no longer necessary to restart the server to enable, disable,
or reconfigure SSL.  Instead, we just create a new SSL_CTX struct
(by re-reading all relevant files) whenever we get SIGHUP.  Testing
shows that this is fast enough that it shouldn't be a problem.

In conjunction with that, downgrade the logic that complains about
pg_hba.conf "hostssl" lines when SSL isn't active: now that's just
a warning condition not an error.

An issue that still needs to be addressed is what shall we do with
passphrase-protected server keys?  As this stands, the server would
demand the passphrase again on every SIGHUP, which is certainly
impractical.  But the case was only barely supported before, so that
does not seem a sufficient reason to hold up committing this patch.

Andreas Karlsson, reviewed by Michael Banck and Michael Paquier

Discussion: https://postgr.es/m/556A6E8A.9030400@proxel.se
This commit is contained in:
Tom Lane
2017-01-02 21:37:12 -05:00
parent 1d63f7d2d1
commit de41869b64
13 changed files with 407 additions and 244 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
doc/src/sgml/client-auth.sgml
View File

@ -156,9 +156,11 @@ hostnossl <replaceable>database</replaceable> <replaceable>user</replaceable>
<para>
To make use of this option the server must be built with
<acronym>SSL</acronym> support. Furthermore,
<acronym>SSL</acronym> must be enabled at server start time
<acronym>SSL</acronym> must be enabled
by setting the <xref linkend="guc-ssl"> configuration parameter (see
<xref linkend="ssl-tcp"> for more information).
Otherwise, the <literal>hostssl</literal> record is ignored except for
logging a warning that it cannot match any connections.
</para>
</listitem>
</varlistentry>

84
doc/src/sgml/config.sgml
View File

@ -958,10 +958,10 @@ include_dir 'conf.d'
<listitem>
<para>
Enables <acronym>SSL</> connections. Please read
<xref linkend="ssl-tcp"> before using this. The default
is <literal>off</>. This parameter can only be set at server
start. <acronym>SSL</> communication is only possible with
TCP/IP connections.
<xref linkend="ssl-tcp"> before using this.
This parameter can only be set in the <filename>postgresql.conf</>
file or on the server command line.
The default is <literal>off</>.
</para>
</listitem>
</varlistentry>
@ -975,11 +975,16 @@ include_dir 'conf.d'
<listitem>
<para>
Specifies the name of the file containing the SSL server certificate
authority (CA). The default is empty, meaning no CA file is loaded,
and client certificate verification is not performed. (In previous
releases of PostgreSQL, the name of this file was hard-coded
as <filename>root.crt</filename>.) Relative paths are relative to the
data directory. This parameter can only be set at server start.
authority (CA).
Relative paths are relative to the data directory.
This parameter can only be set in the <filename>postgresql.conf</>
file or on the server command line.
The default is empty, meaning no CA file is loaded,
and client certificate verification is not performed.
</para>
<para>
In previous releases of PostgreSQL, the name of this file was
hard-coded as <filename>root.crt</filename>.
</para>
</listitem>
</varlistentry>
@ -993,9 +998,10 @@ include_dir 'conf.d'
<listitem>
<para>
Specifies the name of the file containing the SSL server certificate.
The default is <filename>server.crt</filename>. Relative paths are
relative to the data directory. This parameter can only be set at
server start.
Relative paths are relative to the data directory.
This parameter can only be set in the <filename>postgresql.conf</>
file or on the server command line.
The default is <filename>server.crt</filename>.
</para>
</listitem>
</varlistentry>
@ -1009,11 +1015,15 @@ include_dir 'conf.d'
<listitem>
<para>
Specifies the name of the file containing the SSL server certificate
revocation list (CRL). The default is empty, meaning no CRL file is
loaded. (In previous releases of PostgreSQL, the name of this file was
hard-coded as <filename>root.crl</filename>.) Relative paths are
relative to the data directory. This parameter can only be set at
server start.
revocation list (CRL).
Relative paths are relative to the data directory.
This parameter can only be set in the <filename>postgresql.conf</>
file or on the server command line.
The default is empty, meaning no CRL file is loaded.
</para>
<para>
In previous releases of PostgreSQL, the name of this file was
hard-coded as <filename>root.crl</filename>.
</para>
</listitem>
</varlistentry>
@ -1027,9 +1037,10 @@ include_dir 'conf.d'
<listitem>
<para>
Specifies the name of the file containing the SSL server private key.
The default is <filename>server.key</filename>. Relative paths are
relative to the data directory. This parameter can only be set at
server start.
Relative paths are relative to the data directory.
This parameter can only be set in the <filename>postgresql.conf</>
file or on the server command line.
The default is <filename>server.key</filename>.
</para>
</listitem>
</varlistentry>
@ -1046,10 +1057,12 @@ include_dir 'conf.d'
used on secure connections. See
the <citerefentry><refentrytitle>ciphers</></citerefentry> manual page
in the <application>OpenSSL</> package for the syntax of this setting
and a list of supported values. The default value is
<literal>HIGH:MEDIUM:+3DES:!aNULL</>. It is usually reasonable,
unless you have specific security requirements. This parameter can only
be set at server start.
and a list of supported values.
This parameter can only be set in the <filename>postgresql.conf</>
file or on the server command line.
The default value is <literal>HIGH:MEDIUM:+3DES:!aNULL</>. The
default is usually a reasonable choice unless you have specific
security requirements.
</para>
<para>
@ -1113,7 +1126,7 @@ include_dir 'conf.d'
</varlistentry>
<varlistentry id="guc-ssl-prefer-server-ciphers" xreflabel="ssl_prefer_server_ciphers">
<term><varname>ssl_prefer_server_ciphers</varname> (<type>bool</type>)
<term><varname>ssl_prefer_server_ciphers</varname> (<type>boolean</type>)
<indexterm>
<primary><varname>ssl_prefer_server_ciphers</> configuration parameter</primary>
</indexterm>
@ -1121,8 +1134,10 @@ include_dir 'conf.d'
<listitem>
<para>
Specifies whether to use the server's SSL cipher preferences, rather
than the client's. The default is true. This parameter can only be
set at server start.
than the client's.
This parameter can only be set in the <filename>postgresql.conf</>
file or on the server command line.
The default is <literal>true</>.
</para>
<para>
@ -1145,19 +1160,18 @@ include_dir 'conf.d'
<para>
Specifies the name of the curve to use in <acronym>ECDH</> key
exchange. It needs to be supported by all clients that connect.
It does not need to be same curve as used by server's Elliptic
Curve key. The default is <literal>prime256v1</>. This parameter
can only be set at server start.
It does not need to be the same curve used by the server's Elliptic
Curve key.
This parameter can only be set in the <filename>postgresql.conf</>
file or on the server command line.
The default is <literal>prime256v1</>.
</para>
<para>
OpenSSL names for most common curves:
OpenSSL names for the most common curves are:
<literal>prime256v1</> (NIST P-256),
<literal>secp384r1</> (NIST P-384),
<literal>secp521r1</> (NIST P-521).
</para>
<para>
The full list of available curves can be shown with the command
<command>openssl ecparam -list_curves</command>. Not all of them
are usable in <acronym>TLS</> though.
@ -3003,7 +3017,7 @@ include_dir 'conf.d'
</varlistentry>
<varlistentry id="guc-track-commit-timestamp" xreflabel="track_commit_timestamp">
<term><varname>track_commit_timestamp</varname> (<type>bool</type>)
<term><varname>track_commit_timestamp</varname> (<type>boolean</type>)
<indexterm>
<primary><varname>track_commit_timestamp</> configuration parameter</primary>
</indexterm>

19
doc/src/sgml/runtime.sgml
View File

@ -2285,11 +2285,20 @@ pg_dumpall -p 5432 | psql -d postgres -p 5433
</table>
<para>
The files <filename>server.key</>, <filename>server.crt</>,
<filename>root.crt</filename>, and <filename>root.crl</filename>
(or their configured alternative names)
are only examined during server start; so you must restart
the server for changes in them to take effect.
The server reads these files at server start and whenever the server
configuration is reloaded. On <systemitem class="osname">Windows</>
systems, they are also re-read whenever a new backend process is spawned
for a new client connection.
</para>
<para>
If an error in these files is detected at server start, the server will
refuse to start. But if an error is detected during a configuration
reload, the files are ignored and the old values continue to be used.
On <systemitem class="osname">Windows</> systems, if an error in these
files is detected at backend start, that backend will be unable to
establish an SSL connection. In all these cases, the error condition is
reported in the server log.
</para>
</sect2>