| From: | Cary Huang <cary(dot)huang(at)highgo(dot)ca> |
|---|---|
| To: | "Cary Huang" <cary(dot)huang(at)highgo(dot)ca> |
| Cc: | "Pgsql Hackers" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [Patch] add multiple client certificate selection feature |
| Date: | 2024-04-11 21:24:00 |
| Message-ID: | 18ecf0bcb91.12a3ccae2180650.8884931128403332420@highgo.ca |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Hello
I would like to share an updated patch that adds a feature to libpq to automatically select the best client certificate to send to the server (if it requests one). This feature is inspired by this email discussion years ago: https://www.postgresql.org/message-id/200905081539.n48Fdl2Y003286%40no.baka.org, which makes it easier for a single client to communicate TLS with multiple TLS-enabled PostgreSQL servers with different certificate setups.
Instead of specifying just one sslcert, sslkey, or sslpassword, this patch allows multiple to be specified and libpq is able to pick the matching one to send to the PostgreSQL server based on the trusted CA names sent during TLS handshake.
If anyone finds it useful and would like to give it as try, I wrote a blog on how to test and verify this feature here: https://www.highgo.ca/2024/03/28/procedure-to-multiple-client-certificate-feature/
thank you
Best regards
Cary Huang
| Attachment | Content-Type | Size |
|---|---|---|
| v3-0001-multiple_client_certificate_selection_support.patch | application/octet-stream | 16.3 KB |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andres Freund | 2024-04-11 21:30:23 | Re: Issue with the PRNG used by Postgres |
| Previous Message | Andres Freund | 2024-04-11 21:17:11 | Re: Issue with the PRNG used by Postgres |