Index: postgresql/src/backend/postmaster/be-secure.c
diff -c postgresql/src/backend/postmaster/be-secure.c:1.9 postgresql/src/backend/postmaster/be-secure.c:1.10
*** postgresql/src/backend/postmaster/be-secure.c:1.9	Sat May 25 01:44:46 2002
--- postgresql/src/backend/postmaster/be-secure.c	Sat May 25 02:16:09 2002
***************
*** 11,17 ****
   *
   *
   * IDENTIFICATION
!  *	  $Header: /usr/local/cvsroot/postgresql/src/backend/postmaster/be-secure.c,v 1.9 2002/05/25 07:44:46 bear Exp $
   *	  
   *	NOTES
   *
--- 11,17 ----
   *
   *
   * IDENTIFICATION
!  *	  $Header: /usr/local/cvsroot/postgresql/src/backend/postmaster/be-secure.c,v 1.10 2002/05/25 08:16:09 bear Exp $
   *	  
   *	NOTES
   *
***************
*** 79,85 ****
   *	  [*] server verifies client certificates
   *
   *	  milestone 5: provide informational callbacks
!  *	  [ ] provide informational callbacks
   *
   *	  other changes
   *	  [ ] tcp-wrappers
--- 79,85 ----
   *	  [*] server verifies client certificates
   *
   *	  milestone 5: provide informational callbacks
!  *	  [*] provide informational callbacks
   *
   *	  other changes
   *	  [ ] tcp-wrappers
***************
*** 141,146 ****
--- 141,147 ----
  static DH *load_dh_buffer(const char *, size_t);
  static DH *tmp_dh_cb(SSL *s, int is_export, int keylength);
  static int verify_cb(int, X509_STORE_CTX *);
+ static void info_cb(SSL *ssl, int type, int args);
  static int initialize_SSL(void);
  static void destroy_SSL(void);
  static int open_server_SSL(Port *);
***************
*** 555,561 ****
--- 556,601 ----
  	return ok;
  }
  
+ /*
+  *	This callback is used to copy SSL information messages
+  *	into the PostgreSQL log.
+  */
+ static void
+ info_cb (SSL *ssl, int type, int args)
+ {
+ 	if (DebugLvl < 2)
+ 		return;
  
+ 	switch (type)
+ 	{
+ 	case SSL_CB_HANDSHAKE_START:
+ 		elog(DEBUG, "SSL: handshake start");
+ 		break;
+ 	case SSL_CB_HANDSHAKE_DONE:
+ 		elog(DEBUG, "SSL: handshake done");
+ 		break;
+ 	case SSL_CB_ACCEPT_LOOP:
+ 		if (DebugLvl >= 3)
+ 			elog(DEBUG, "SSL: accept loop");
+ 		break;
+ 	case SSL_CB_ACCEPT_EXIT:
+ 		elog(DEBUG, "SSL: accept exit (%d)", args);
+ 		break;
+ 	case SSL_CB_CONNECT_LOOP:
+ 		elog(DEBUG, "SSL: connect loop");
+ 		break;
+ 	case SSL_CB_CONNECT_EXIT:
+ 		elog(DEBUG, "SSL: connect exit (%d)", args);
+ 		break;
+ 	case SSL_CB_READ_ALERT:
+ 		elog(DEBUG, "SSL: read alert (0x%04x)", args);
+ 		break;
+ 	case SSL_CB_WRITE_ALERT:
+ 		elog(DEBUG, "SSL: write alert (0x%04x)", args);
+ 		break;
+ 	}
+ }
+ 
  /*
   *	Initialize global SSL context.
   */
***************
*** 698,703 ****
--- 738,746 ----
  		port->peer_cn[sizeof(port->peer_cn)-1] = '\0';
  	}
  	elog(DEBUG, "secure connection from '%s'", port->peer_cn);
+ 
+ 	/* set up debugging/info callback */
+ 	SSL_CTX_set_info_callback(SSL_context, info_cb);
  
  	return 0;
  }
Index: postgresql/src/interfaces/libpq/fe-secure.c
diff -c postgresql/src/interfaces/libpq/fe-secure.c:1.8 postgresql/src/interfaces/libpq/fe-secure.c:1.10
*** postgresql/src/interfaces/libpq/fe-secure.c:1.8	Sat May 25 01:44:46 2002
--- postgresql/src/interfaces/libpq/fe-secure.c	Sat May 25 02:16:09 2002
***************
*** 11,17 ****
   *
   *
   * IDENTIFICATION
!  *	  $Header: /usr/local/cvsroot/postgresql/src/interfaces/libpq/fe-secure.c,v 1.8 2002/05/25 07:44:46 bear Exp $
   *	  
   * NOTES
   *	  The client *requires* a valid server certificate.  Since
--- 11,17 ----
   *
   *
   * IDENTIFICATION
!  *	  $Header: /usr/local/cvsroot/postgresql/src/interfaces/libpq/fe-secure.c,v 1.10 2002/05/25 08:16:09 bear Exp $
   *	  
   * NOTES
   *	  The client *requires* a valid server certificate.  Since
***************
*** 78,83 ****
--- 78,89 ----
   *	    $HOME/.postgresql/postgresql.key
   *	  respectively.
   *
+  *	  ...
+  *
+  *	  We don't provide informational callbacks here (like
+  *	  info_cb() in be-secure.c), since there's mechanism to
+  *	  display that information to the client.
+  *
   * OS DEPENDENCIES
   *	  The code currently assumes a POSIX password entry.  How should
   *	  Windows and Mac users be handled?
***************
*** 100,106 ****
   *	  [*] server verifies client certificates
   *
   *	  milestone 5: provide informational callbacks
!  *	  [ ] provide informational callbacks
   *
   *	  other changes
   *	  [ ] tcp-wrappers
--- 106,112 ----
   *	  [*] server verifies client certificates
   *
   *	  milestone 5: provide informational callbacks
!  *	  [*] provide informational callbacks
   *
   *	  other changes
   *	  [ ] tcp-wrappers
***************
*** 733,738 ****
--- 739,755 ----
  		return -1;
  	}
  	fclose(fp);
+ 
+ 	/* verify that the cert and key go together */
+ 	if (!X509_check_private_key(*x509, *pkey))
+ 	{
+ 		printfPQExpBuffer(&conn->errorMessage, 
+ 			libpq_gettext("certificate/private key mismatch (%s): %s\n"),
+ 			fnbuf, SSLerrmessage());
+ 		X509_free(*x509);
+ 		EVP_PKEY_free(*pkey);
+ 		return -1;
+ 	}
  
  	return 1;
  }