Re: Automatic CRL reload
| От | Bruce Momjian |
|---|---|
| Тема | Re: Automatic CRL reload |
| Дата | |
| Msg-id | 200901212349.n0LNn6j16801@momjian.us обсуждение исходный текст |
| Ответ на | Re: Automatic CRL reload (Alvaro Herrera <alvherre@commandprompt.com>) |
| Список | pgsql-general |
Alvaro Herrera wrote: > Andrej Podzimek wrote: > > > "The files server.key, server.crt, root.crt, and root.crl are only > > examined during server start; so you must restart the server for > > changes in them to take effect." > > (http://www.postgresql.org/docs/8.3/static/ssl-tcp.html) > > > > This is perfectly fine for server.key, server.crt and root.crt. These > > files change quite rarely. However, root.crl usually chages once a > > month (which is the default in OpenSSL) or even more often when > > necessary. > > I think the right solution here is to reload the CRL file on SIGHUP > (reload). Whoever changes the CRL file should send a signal. > > I've had that on my TODO list for a while. Added to TODO: Allow SSL CRL files to be re-read during configuration file reload, rather than requiring a server restart Unlike SSL CRT files, CRL (Certificate Revocation List) files are updated frequently * http://archives.postgresql.org/pgsql-general/2008-12/msg00832.php -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + If your life is a hard drive, Christ can be your backup. +
В списке pgsql-general по дате отправления: