Automatic CRL reload

Hello,

this is just a small wish / feature request.

The Apache httpd project dealt with a similar issue just a few months ago:
https://issues.apache.org/bugzilla/show_bug.cgi?id=14104There's exactly the same problem in PostgreSQL. The
documentationsays: 

"The files server.key, server.crt, root.crt, and root.crl are only examined during server start; so you must restart
theserver for changes in them to take effect." (http://www.postgresql.org/docs/8.3/static/ssl-tcp.html) 

This is perfectly fine for server.key, server.crt and root.crt. These files change quite rarely. However, root.crl
usuallychages once a month (which is the default in OpenSSL) or even more often when necessary. Restarting the server
oncea month is not an ideal solution. 

With an expired CRL, SSL connections are refused without proper error messages. This is confusing. Despite the fact
thatroot.crl is up-to-date and clients are configured properly, you will get this error message when the old CRL in
memoryexpires: 

    Dec 25 05:37:41 charon postgres[28210]: [4-1] LOG:  could not accept SSL connection: no certificate returned

It might be better to say something like "I can't validate the certificate with an expired CRL."

Presumably, pg_ctl restart fixed this problem.

It would be great if PostgreSQL could reload the CRL when necessary, just like Apache httpd does. Could this be
appendedto the 8.4 wishlist, please? 

Best regards,

Andrej Podzimek