Skip site navigation (1) Skip section navigation (2)

Re: using pgsql-odbc using client certificate auth

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: "Duffey, Blake A(dot)" <Blake(dot)Duffey(at)noblis(dot)org>
Cc: "pgsql-odbc(at)postgresql(dot)org" <pgsql-odbc(at)postgresql(dot)org>
Subject: Re: using pgsql-odbc using client certificate auth
Date: 2012-03-14 17:27:05
Message-ID: 20120314172704.GX3938@tamriel.snowman.net (view raw or flat)
Thread:
Lists: pgsql-odbc
* Duffey, Blake A. (Blake(dot)Duffey(at)noblis(dot)org) wrote:
> What support does the current PG ODBC driver have for using client certificates for user authentication?  Anyone have any experience with this?

More specifically..  We're trying to make it work, but the ODBC driver
is crashing and we're not sure why.  The error information is:

Problem signature:
  Problem Event Name:	APPCRASH
  Application Name:	odbcad32.exe
  Application Version:	6.1.7600.16385
  Application Timestamp:	4a5bcd4c
  Fault Module Name:	CRYPT32.dll
  Fault Module Version:	6.1.7601.17514
  Fault Module Timestamp:	4ce7b841
  Exception Code:	c0000005
  Exception Offset:	0000e26b
  OS Version:	6.1.7601.2.1.0.144.8
  Locale ID:	1033
  Additional Information 1:	0a9e
  Additional Information 2:	0a9e372d3b4ad19135b953a78882e789
  Additional Information 3:	0a9e
  Additional Information 4:	0a9e372d3b4ad19135b953a78882e789

This is using the latest ODBC driver (we've tried both 32bit and 64bit
and received similar errors, the above is with the 32bit one).  We can
connect from this same system using client-side certificates with
pgAdmin (where we have to specify the file location of the key and
certificate), and we have the client certificate loaded in to the
certificate store in Windows, so we know the PG server is configured
correctly and that the key and certificate work.

The 'mylog' file contains:

[9792-0.000]globals.extra_systable_prefixes = 'dd_;'
[9792-0.000]exe name=odbcad32 plaformId=2
[9792-0.015]aszKey='DSN', value='beren_test'
[9792-0.015]copyAttributes: DSN='beren_test',server='',dbase='',user='',passwd='xxxxx',port='',onlyread='',protocol='',conn_settings='',disallow_premature=-1)
[9792-0.062]getDSNinfo: DSN=beren_test overwrite=0
[9792-0.062]force_abbrev=0 bde=0 cvt_null_date=0
[9792-0.062]globals.extra_systable_prefixes = 'dd_;'
[9792-0.078]calling getDSNdefaults
[9792-0.078]checking libpq library
[9792-0.093]psqlodbc path based libpq loaded module=00000000
[9792-0.093]libpq hmodule=00000000
[9792-0.093]secur32 hmodule=74630000
[9792-0.093]libpq_exist=1
[9792-1.484]EN_add_connection: self = 00326A08, conn = 00326A38
[9792-1.484]       added at 0, conn->henv = 00326A08, conns[0]->henv = 00326A08

Also, looking through the source code, one thing which worries us is
that the CN in the certificate doesn't match the PG username we're
trying to use (though we've tried to make them match and that doesn't
help with the above error..).  We'd really like to not have those match
and instead have the ODBC driver use a specific certificate or have a
way to tell the ODBC driver which CN to use.

Any thoughts on this would be greatly appreciated.

	Thanks,

		Stephen

In response to

Responses

pgsql-odbc by date

Next:From: Hiroshi InoueDate: 2012-03-15 06:15:12
Subject: Re: using pgsql-odbc using client certificate auth
Previous:From: Duffey, Blake A.Date: 2012-03-14 17:09:58
Subject: using pgsql-odbc using client certificate auth

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group