Re: PQgetssl() and alternative SSL implementations

* Heikki Linnakangas (hlinnakangas(at)vmware(dot)com) wrote:
> server_cert_valid: Did the server present a valid certificate?
> "yes" or "no"
>
> server_cert_matches_host: Does the Common Name of the certificate
> match the host connected to? "yes" or "no"

Aren't these questions addressed by sslmode?

> Exposing the SSL information as generic key/value pairs allows
> adding more attributes in the future, without breaking the ABI, and
> it also allows exposing implementation-specific information in a
> generic way. The attributes listed above cover the needs of psql.
> What else do we need?

At first blush, I'd say a whole bunch.. Off the top of my head I can
think of:

For all certificates:
(client, server, cert that signed each, any intermediate CAs, root CAs)
Certificate itself (perhaps in DER, PEM, X509 formats..)
Fingerprint
Signed-By info
Common Name
Organization (et al)
Alternate names
Issue date, expiration date
CRL info, OCSP info
Allowed usage (encryption, signing, etc)

CRL checking done?
OCSP used?

> I think it would also be nice to get more information from the
> server's certificate, like the hostname and the organization its
> issued to, and expiration date, so that an interactive client like
> pgAdmin or even psql could display that information like a web
> browser does. Would it be best to add those as extra attributes in
> the above list, perhaps with a "server_cert_*" prefix, or add a new
> function for extracting server cert's attributes?

This really shouldn't be for *just* the server's certificate but rather
available for all certificates involved- on both sides.

> The other question is: What do we do with PQgetssl()? We should
> document it as deprecated, but we'll have to keep it around for the
> foreseeable future for backwards-compatibility. We obviously cannot
> return a valid OpenSSL struct when using any other implementation,
> so I think it'll have to just return NULL when not using OpenSSL.
> Probably the most common use of PQgetssl() is to just check if it
> returns NULL or not, to determine if SSL is enabled, so a client
> that does that would incorrectly think that SSL is not used, even
> when it is. I think we can live with that.

That's not ideal, but the only other option I can think of offhand is to
break the existing API and force everyone to update and that seems
worse.

Have you looked at how this change will play out with the ODBC driver..?
Especially on Windows with the SSL library you're proposing we use
there.. I recall that at one point the ODBC driver simply used libpq to
handle the authentication and set everything up, and then switched to
talking directly without libpq. In any case, it'd probably be good to
make sure the attributes you're suggesting are sufficient to meet the
needs of the ODBC driver too.

Thanks,

Stephen