Skip site navigation (1) Skip section navigation (2)

SSL Client Certificate pass phrases

From: Andrew Dunstan <andrew(at)dunslane(dot)net>
To: PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>
Subject: SSL Client Certificate pass phrases
Date: 2011-01-25 23:25:55
Message-ID: 4D3F5C03.1090402@dunslane.net (view raw or flat)
Thread:
Lists: pgsql-hackers
I had a requirement the other day to support a connection using an SSL 
Client certificate. I set this up, and it worked nicely. But there's a 
fly in the ointment. While the openssl libraries will ask for a pass 
phrase for the key file if required when running psql, this is not 
usable in other circumstances. pgAdminIII fails on it miserably, and so 
does a dblink connection. The first is especially important, because it 
makes the use of client certificates in fact quite dangerous when the 
client is a running on a laptop computer which is liable to be stolen. I 
actually have requirements to make both these cases work if possible.

ISTM we need to be able to supply a pass phrase to libpq (via the 
options?) which would allow libpq to call 
|SSL_CTX_set_default_passwd_cb_userdata or something similar which would 
allow the key file to be unlocked.

Thoughts?

cheers

andrew
|

pgsql-hackers by date

Next:From: Robert HaasDate: 2011-01-25 23:40:08
Subject: Re: ALTER TYPE 2: skip already-provable no-work rewrites
Previous:From: Peter EisentrautDate: 2011-01-25 22:43:36
Subject: Re: Perl 5.12 complains about ecpg parser-hacking scripts

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group