Re: [Patch] add multiple client certificate selection feature

From: Cary Huang <cary(dot)huang(at)highgo(dot)ca>
To: "Pgsql Hackers" <pgsql-hackers(at)postgresql(dot)org>, "Daniel Gustafsson" <daniel(at)yesql(dot)se>
Subject: Re: [Patch] add multiple client certificate selection feature
Date: 2024-03-01 19:14:43
Message-ID: 18dfb70b395.daa73af1150452.8922306633808599181@highgo.ca
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Hello

I would like to share a version 2 patch for multiple client certificate selection feature with several enhancements over v1. I removed the extra parameter "sslcertdir" and "sslkeydir". Instead, I reuse the existing sslcert, ssldir and sslpassword parameters but allow multiple entries to be supplied separated by comma. This way, we are able to use a different sslpassword to decrypt different sslkey files based on the selected certificate. This was not possible in v1.

When a client is doing a TLS handshake with a server that requires client certificate, the client will obtain a list of trusted CA names from the server and try to match it from the list of certificates provided via sslcert option. A client certificate is chosen if its issuer matches one of the server’s trusted CA names. Once a certificate is chosen, the corresponding private key and sslpassword (if required) will be used to establish a secured TLS connection.

The feature is useful when a libpq client needs to communicate with multiple TLS-enabled PostgreSQL server instances with different TLS certificate setups. Instead of letting the application to figure out what certificate to send to what server, we can configure all possible certificate candidates to libpq and have it choose the best one to use instead.

 

Hello Daniel

Sorry to bother. I am just wondering your opinion about this feature? Should this be added to commitfest for review? This feature involves certificates issued by different root CAs to test the its ability to pick the right certificate, so the existing ssl tap test’s certificate generation script needs an update to test this. I have not done so yet, because I would like to discuss with you first.

Any comments and recommendations are welcome. Thank you!

Best regards

Cary Huang

Attachment Content-Type Size
v2-0001-multiple_client_certificate_selection_support.patch application/octet-stream 15.7 KB

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Melanie Plageman 2024-03-01 19:31:41 Re: BitmapHeapScan streaming read user and prelim refactoring
Previous Message Peter Geoghegan 2024-03-01 17:47:32 Re: index prefetching