Thread: Re: Passphrase protected SSL key and reloads
(moved from Hackers to docs) On 1/5/19 4:26 PM, Joe Conway wrote: > On https://www.postgresql.org/docs/11/ssl-tcp.html it says: > > "Using a passphrase also disables the ability to change the server's > SSL configuration without a server restart." > > But as of pg11 we have ssl_passphrase_command_supports_reload, which as > I understand it should allow this if the passphrase command is not > interactive. Per > https://www.postgresql.org/docs/11/runtime-config-connection.html#GUC-SSL-PASSPHRASE-COMMAND-SUPPORTS-RELOAD > > "Setting this parameter to true might be appropriate if the passphrase > is obtained from a file, for example." > > Am I misunderstanding, or was the former quote missed when updating the > docs for pg11? Since I am already thinking about pgsql-docs today -- any comment on this? Joe -- Crunchy Data - http://crunchydata.com PostgreSQL Support for Secure Enterprises Consulting, Training, & Open Source Development
Attachment
On 2019-04-24 13:22, Joe Conway wrote: >> "Using a passphrase also disables the ability to change the server's >> SSL configuration without a server restart." >> >> But as of pg11 we have ssl_passphrase_command_supports_reload, which as >> I understand it should allow this if the passphrase command is not >> interactive. Per >> https://www.postgresql.org/docs/11/runtime-config-connection.html#GUC-SSL-PASSPHRASE-COMMAND-SUPPORTS-RELOAD >> >> "Setting this parameter to true might be appropriate if the passphrase >> is obtained from a file, for example." >> >> Am I misunderstanding, or was the former quote missed when updating the >> docs for pg11? Right, that should be amended. I suspect the next sentence Furthermore, passphrase-protected private keys cannot be used at all on Windows. is also related to this. Can someone comment on this? -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services