diff options
| author | Tom Lane <tgl@sss.pgh.pa.us> | 2017-01-02 21:37:12 -0500 |
|---|---|---|
| committer | Tom Lane <tgl@sss.pgh.pa.us> | 2017-01-02 21:37:12 -0500 |
| commit | de41869b64d57160f58852eab20a27f248188135 (patch) | |
| tree | a4d81157d9126c76d042d093ee7a4a08a37181aa /src/backend/libpq/hba.c | |
| parent | 1d63f7d2d180c8708bc12710254eb7b45823440f (diff) | |
| download | postgresql-de41869b64d57160f58852eab20a27f248188135.tar.gz postgresql-de41869b64d57160f58852eab20a27f248188135.zip | |
Allow SSL configuration to be updated at SIGHUP.
It is no longer necessary to restart the server to enable, disable,
or reconfigure SSL. Instead, we just create a new SSL_CTX struct
(by re-reading all relevant files) whenever we get SIGHUP. Testing
shows that this is fast enough that it shouldn't be a problem.
In conjunction with that, downgrade the logic that complains about
pg_hba.conf "hostssl" lines when SSL isn't active: now that's just
a warning condition not an error.
An issue that still needs to be addressed is what shall we do with
passphrase-protected server keys? As this stands, the server would
demand the passphrase again on every SIGHUP, which is certainly
impractical. But the case was only barely supported before, so that
does not seem a sufficient reason to hold up committing this patch.
Andreas Karlsson, reviewed by Michael Banck and Michael Paquier
Discussion: https://postgr.es/m/556A6E8A.9030400@proxel.se
Diffstat (limited to 'src/backend/libpq/hba.c')
| -rw-r--r-- | src/backend/libpq/hba.c | 29 |
1 files changed, 5 insertions, 24 deletions
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c index f1e9a38c92e..5b644d64527 100644 --- a/src/backend/libpq/hba.c +++ b/src/backend/libpq/hba.c @@ -870,28 +870,23 @@ parse_hba_line(List *line, int line_num, char *raw_line) if (token->string[4] == 's') /* "hostssl" */ { - /* SSL support must be actually active, else complain */ + parsedline->conntype = ctHostSSL; + /* Log a warning if SSL support is not active */ #ifdef USE_SSL - if (EnableSSL) - parsedline->conntype = ctHostSSL; - else - { + if (!EnableSSL) ereport(LOG, (errcode(ERRCODE_CONFIG_FILE_ERROR), - errmsg("hostssl requires SSL to be turned on"), + errmsg("hostssl record cannot match because SSL is disabled"), errhint("Set ssl = on in postgresql.conf."), errcontext("line %d of configuration file \"%s\"", line_num, HbaFileName))); - return NULL; - } #else ereport(LOG, (errcode(ERRCODE_CONFIG_FILE_ERROR), - errmsg("hostssl is not supported by this build"), + errmsg("hostssl record cannot match because SSL is not supported by this build"), errhint("Compile with --with-openssl to use SSL connections."), errcontext("line %d of configuration file \"%s\"", line_num, HbaFileName))); - return NULL; #endif } else if (token->string[4] == 'n') /* "hostnossl" */ @@ -1417,10 +1412,6 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num) } else if (strcmp(name, "clientcert") == 0) { - /* - * Since we require ctHostSSL, this really can never happen on - * non-SSL-enabled builds, so don't bother checking for USE_SSL. - */ if (hbaline->conntype != ctHostSSL) { ereport(LOG, @@ -1432,16 +1423,6 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num) } if (strcmp(val, "1") == 0) { - if (!secure_loaded_verify_locations()) - { - ereport(LOG, - (errcode(ERRCODE_CONFIG_FILE_ERROR), - errmsg("client certificates can only be checked if a root certificate store is available"), - errhint("Make sure the configuration parameter \"%s\" is set.", "ssl_ca_file"), - errcontext("line %d of configuration file \"%s\"", - line_num, HbaFileName))); - return false; - } hbaline->clientcert = true; } else |