Re: using pgsql-odbc using client certificate auth

* Duffey, Blake A. (Blake(dot)Duffey(at)noblis(dot)org) wrote:
> What support does the current PG ODBC driver have for using client certificates for user authentication? Anyone have any experience with this?

More specifically.. We're trying to make it work, but the ODBC driver
is crashing and we're not sure why. The error information is:

Problem signature:
Problem Event Name: APPCRASH
Application Name: odbcad32.exe
Application Version: 6.1.7600.16385
Application Timestamp: 4a5bcd4c
Fault Module Name: CRYPT32.dll
Fault Module Version: 6.1.7601.17514
Fault Module Timestamp: 4ce7b841
Exception Code: c0000005
Exception Offset: 0000e26b
OS Version: 6.1.7601.2.1.0.144.8
Locale ID: 1033
Additional Information 1: 0a9e
Additional Information 2: 0a9e372d3b4ad19135b953a78882e789
Additional Information 3: 0a9e
Additional Information 4: 0a9e372d3b4ad19135b953a78882e789

This is using the latest ODBC driver (we've tried both 32bit and 64bit
and received similar errors, the above is with the 32bit one). We can
connect from this same system using client-side certificates with
pgAdmin (where we have to specify the file location of the key and
certificate), and we have the client certificate loaded in to the
certificate store in Windows, so we know the PG server is configured
correctly and that the key and certificate work.

The 'mylog' file contains:

[9792-0.000]globals.extra_systable_prefixes = 'dd_;'
[9792-0.000]exe name=odbcad32 plaformId=2
[9792-0.015]aszKey='DSN', value='beren_test'
[9792-0.015]copyAttributes: DSN='beren_test',server='',dbase='',user='',passwd='xxxxx',port='',onlyread='',protocol='',conn_settings='',disallow_premature=-1)
[9792-0.062]getDSNinfo: DSN=beren_test overwrite=0
[9792-0.062]force_abbrev=0 bde=0 cvt_null_date=0
[9792-0.062]globals.extra_systable_prefixes = 'dd_;'
[9792-0.078]calling getDSNdefaults
[9792-0.078]checking libpq library
[9792-0.093]psqlodbc path based libpq loaded module=00000000
[9792-0.093]libpq hmodule=00000000
[9792-0.093]secur32 hmodule=74630000
[9792-0.093]libpq_exist=1
[9792-1.484]EN_add_connection: self = 00326A08, conn = 00326A38
[9792-1.484] added at 0, conn->henv = 00326A08, conns[0]->henv = 00326A08

Also, looking through the source code, one thing which worries us is
that the CN in the certificate doesn't match the PG username we're
trying to use (though we've tried to make them match and that doesn't
help with the above error..). We'd really like to not have those match
and instead have the ODBC driver use a specific certificate or have a
way to tell the ODBC driver which CN to use.

Any thoughts on this would be greatly appreciated.

Thanks,

Stephen