Re: libpq sslpassword parameter and callback function

From: Andrew Dunstan <andrew(dot)dunstan(at)2ndquadrant(dot)com>
To: PostgreSQL Hackers <pgsql-hackers(at)lists(dot)postgresql(dot)org>
Subject: Re: libpq sslpassword parameter and callback function
Date: 2019-11-28 00:06:10
Message-ID: 29cb8b8d-ff6c-462a-7a25-4024ded44d99@2ndQuadrant.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers


On 11/25/19 4:09 PM, Andrew Dunstan wrote:
> On 10/31/19 7:27 PM, Andrew Dunstan wrote:
>> On 10/31/19 6:34 PM, Andrew Dunstan wrote:
>>> This time with attachment.
>>>
>>>
>>> On 10/31/19 6:33 PM, Andrew Dunstan wrote:
>>>> This patch provides for an sslpassword parameter for libpq, and a hook
>>>> that a client can fill in for a callback function to set the password.
>>>>
>>>>
>>>> This provides similar facilities to those already available in the JDBC
>>>> driver.
>>>>
>>>>
>>>> There is also a function to fetch the sslpassword from the connection
>>>> parameters, in the same way that other settings can be fetched.
>>>>
>>>>
>>>> This is mostly the excellent work of my colleague Craig Ringer, with a
>>>> few embellishments from me.
>>>>
>>>>
>>>> Here are his notes:
>>>>
>>>>
>>>>     Allow libpq to non-interactively decrypt client certificates that
>>>> are stored
>>>>     encrypted by adding a new "sslpassword" connection option.
>>>>    
>>>>     The sslpassword option offers a middle ground between a cleartext
>>>> key and
>>>>     setting up advanced key mangement via openssl engines, PKCS#11, USB
>>>> crypto
>>>>     offload and key escrow, etc.
>>>>    
>>>>     Previously use of encrypted client certificate keys only worked if
>>>> the user
>>>>     could enter the key's password interactively on stdin, in response
>>>> to openssl's
>>>>     default prompt callback:
>>>>    
>>>>         Enter PEM passhprase:
>>>>    
>>>>     That's infesible in many situations, especially things like use from
>>>>     postgres_fdw.
>>>>    
>>>>     This change also allows admins to prevent libpq from ever prompting
>>>> for a
>>>>     password by calling:
>>>>    
>>>>         PQsetSSLKeyPassHook(PQdefaultSSLKeyPassHook);
>>>>    
>>>>     which is useful since OpenSSL likes to open /dev/tty to prompt for a
>>>> password,
>>>>     so even closing stdin won't stop it blocking if there's no user
>>>> input available.
>>>>     Applications may also override or extend SSL password fetching with
>>>> their own
>>>>     callback.
>>>>    
>>>>     There is deliberately no environment variable equivalent for the
>>>> sslpassword
>>>>     option.
>>>>
>>>>
>> I should also mention that this patch provides for support for DER
>> format certificates and keys.
>>
>>
>
> Here's an updated version of the patch, adjusted to the now committed
> changes to TestLib.pm.
>
>

Here's an update now we have backed out the TestLib changes. The tests
that need a pty are skipped.

cheers

andrew

--

Andrew Dunstan https://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

Attachment Content-Type Size
0001-libpq-sslpassword-der-support.patch text/x-patch 27.4 KB

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Bruce Momjian 2019-11-28 01:26:17 Re: format of pg_upgrade loadable_libraries warning
Previous Message Jeff Davis 2019-11-27 22:58:04 Re: Memory-Bounded Hash Aggregation