| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Alvaro Herrera <alvherre(at)commandprompt(dot)com> |
| Cc: | Alex Hunsaker <badalex(at)gmail(dot)com>, PG Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Client certificate authentication |
| Date: | 2008-11-17 12:39:09 |
| Message-ID: | 492165ED.6080907@hagander.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Alvaro Herrera wrote:
> Magnus Hagander escribió:
>> On 16 nov 2008, at 01.00, "Alex Hunsaker" <badalex(at)gmail(dot)com> wrote:
>
>>> My only concern is there is no way to specify the USER_CERT_FILE for
>>> libpq. So if for example I have two users that I want to use cert
>>> authentication for I really have to have to users on the system (or i
>>> guess maybe you could fake HOME=... psql -U other_user). Or am I
>> While not directly related to this patch, that is a very good point. We
>> have PGSSLKEY but not PGSSLCERT. Could certainly be worth adding.
>
> FWIW I think this was part of the patch submitted by Mark Woodward; see
> http://wiki.postgresql.org/wiki/CommitFest_2008-07, and
> http://archives.postgresql.org/message-id/20080801203157.GL4321@alvh.no-ip.org
Seems like it. I totally missed that one.
As for the patch itself - do we really want to #ifdef all parameters
out? There's no harm in accepting them for non-ssl connections (and
ignoring them), and that might make life easier on third party stuff
that fills in all parameters with their default values if they're not
specified. Like we support sslmode even if we're compiled without SSL.
And yes, sslkey and PGSSLKEY should be made the same thing, I think.
//Magnus
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Aidan Van Dyk | 2008-11-17 13:41:20 | Re: Block-level CRC checks |
| Previous Message | Alvaro Herrera | 2008-11-17 12:31:23 | Re: Client certificate authentication |