| From: | pgsql(at)mohawksoft(dot)com |
|---|---|
| To: | "Andrew Dunstan" <andrew(at)dunslane(dot)net> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: SSL and USER_CERT_FILE |
| Date: | 2008-05-15 13:31:10 |
| Message-ID: | 55527.24.60.196.157.1210858270.squirrel@mail.mohawksoft.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> Mark Woodward wrote:
>> I am using PostgreSQL's SSL support and the conventions for the key and
>> certifications don't make sense from the client perspective. Especially
>> under Windows.
>>
>> I am proposing a few simple changes:
>>
>> Adding two API
>> void PQsetSSLUserCertFileName(char *filename)
>> {
>> user_crt_filename = strdup(filename);
>> }
>> PQsetSSLUserKeyFileName(char *filename)
>> {
>> user_key_filename = strdup(filename);
>> }
>>
>>
>>
> [snip]
>> Any comments?
>>
>>
>
>
> I think it would probably be much better to allow for some environment
> variables to specify the locations of the client certificate and key
> (and the CA cert and CRL) - c.f. PGPASSFILE.
>
> That way not only could these be set by C programs but by any libpq user
> (I'm sure driver writers who use libpq don't want to have to bother with
> this stuff.) And we wouldn't need to change the API at all.
>
The problem I have with environment variables is that they tend not to be
application specific and almost always lead to configuration issues. As a
methodology for default configuration, it adds flexibility. Also, the
current configuration does not easily take in to consideration the idea
that different databases with different keys can be used from the same
system the same user.
Maybe we need to go even further and add it to the PQconnect API
sslkey=filename and sslcrt=filename in addition to sslmode?
| From | Date | Subject | |
|---|---|---|---|
| Next Message | pgsql | 2008-05-15 13:49:58 | Re: SSL and USER_CERT_FILE |
| Previous Message | Mark Woodward | 2008-05-15 12:47:32 | SSL and USER_CERT_FILE |