Re: Extended test coverage and docs for SSL passphrase commands

Daniel Gustafsson <daniel@yesql.se>

From: Daniel Gustafsson <daniel@yesql.se>
To: Peter Eisentraut <peter@eisentraut.org>
Cc: Postgres hackers <pgsql-hackers@lists.postgresql.org>
Date: 2025-11-12T17:25:45Z
Lists: pgsql-hackers
> On 12 Nov 2025, at 15:15, Peter Eisentraut <peter@eisentraut.org> wrote:
> 
> On 07.11.25 21:26, Daniel Gustafsson wrote:
>> When I was writing tests for the SSL SNI patch [0] I realized that the current
>> tests for ssl passphrase commands aren't fully exercising the feature, so I
>> extended them to better understand how it works.  Attached is an extended set
>> of tests for passphrase protected keys where connection and reloads are tested
>> as well as their different characteristics on Windows.
>> The patchset also contains a small doc addition which documents the fact that
>> passphrase command reloading must be on when running on Windows (EXEC_BACKEND)
>> since every backend will issue a SSL configuration reload.
> 
> Your test code conflates $windows_os with EXEC_BACKEND.  It should work to enable EXEC_BACKEND on a non-Windows system and have everything work.  So I think that code needs to extract the actual EXEC_BACKEND setting somehow, instead of using the OS identity as a proxy.

As far as I know the only way to programmatically learn that from the Perl
testcode would be to check for the presence of the CONFIG_EXEC_PARAMS file in
$self->data_dir, which should be easy enough to do.  Do you know of a better
way?

> About the behavior that your documentation patch describes, I would like to have some kind of reflection of that in the code as well.  At least a comment near default_openssl_tls_init() maybe?  I haven't traced the code through, but I would be curious about what is different in an EXEC_BACKEND environment.  For example, is the argument isServerStart also true if it's not a server start?  Or should the setting actually be enforced directly on the GUC system?

It is documented in src/backend/tcop/backend_startup.c with the following
comment in BackendMain():

#ifdef EXEC_BACKEND

    /*
     * Need to reinitialize the SSL library in the backend, since the context
     * structures contain function pointers and cannot be passed through the
     * parameter file.
     *
     * If for some reason reload fails (maybe the user installed broken key
     * files), soldier on without SSL; that's better than all connections
     * becoming impossible.
     *
     * XXX should we do this in all child processes?  For the moment it's
     * enough to do it in backend children.
     */
#ifdef USE_SSL
    if (EnableSSL)
    {
        if (secure_initialize(false) == 0)
            LoadedSSL = true;

Calling secure_initialize with isServerStart == false will force a reload which
in turn requires the passphrase command to be reloadable if it is to work at
all.

Not sure if we need too much more than that, but maybe a note could be added to
be_tls_init that isServerStart will reflect config reloads as well as
EXEC_BACKEND?

--
Daniel Gustafsson




Commits

  1. doc: Clarify passphrase command reloading on Windows

  2. ssl: Add connection and reload tests for key passphrases

  3. Add GUC to show EXEC_BACKEND state