| From: | Andrew Dunstan <andrew(at)dunslane(dot)net> |
|---|---|
| To: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | SSL Client Certificate pass phrases |
| Date: | 2011-01-25 23:25:55 |
| Message-ID: | 4D3F5C03.1090402@dunslane.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
I had a requirement the other day to support a connection using an SSL
Client certificate. I set this up, and it worked nicely. But there's a
fly in the ointment. While the openssl libraries will ask for a pass
phrase for the key file if required when running psql, this is not
usable in other circumstances. pgAdminIII fails on it miserably, and so
does a dblink connection. The first is especially important, because it
makes the use of client certificates in fact quite dangerous when the
client is a running on a laptop computer which is liable to be stolen. I
actually have requirements to make both these cases work if possible.
ISTM we need to be able to supply a pass phrase to libpq (via the
options?) which would allow libpq to call
|SSL_CTX_set_default_passwd_cb_userdata or something similar which would
allow the key file to be unlocked.
Thoughts?
cheers
andrew
|
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2011-01-25 23:40:08 | Re: ALTER TYPE 2: skip already-provable no-work rewrites |
| Previous Message | Peter Eisentraut | 2011-01-25 22:43:36 | Re: Perl 5.12 complains about ecpg parser-hacking scripts |