On Thu, Oct 17, 2019 at 04:20:42PM +1100, raf wrote:
> Hi,
>
> https://www.postgresql.org/docs/12/ssl-tcp.html says:
>
> "Using a passphrase also disables the ability to
> change the server's SSL configuration without a
> server restart."
>
> How is key TLS key changed without a server restart?
> Is replacing the server.crt/server.key files enough
> or is there more to it?
>
> And will existing connections continue to use the old
> key until they disconnect?
The Postgres docs say:
https://www.postgresql.org/docs/12/ssl-tcp.html#SSL-SERVER-FILES
The server reads these files at server start and whenever the server
configuration is reloaded. On Windows systems, they are also re-read
whenever a new backend process is spawned for a new client connection.
I actually don't know if existing sessions start using the new
certificate, or just new sessions. This doc sentence suggests even
existing sessions use the new certificate:
If an error in these files is detected at server start, the server will
refuse to start. But if an error is detected during a configuration
reload, the files are ignored and the old SSL configuration continues to
be used.
--
Bruce Momjian <bruce@momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ As you are, so once was I. As I am, so you will be. +
+ Ancient Roman grave inscription +