Re: Certificate, login & php question ?

On Mon, Sep 11, 2006 at 02:32:26AM +0200, Jean-Gerard Pailloncy wrote:
> I have setup an apache server with SSL.
> I create a CA, serker.key, server.crt.
> I create a user.key and user.cert.
> Now the apache server accept only the correct certificate for login
> on a given directory.
>
> I have a PHP script that query the database using the HTTP login/
> password as PostgreSQL user/password.
>
> I plan to add the same SSL setup to PostreSQL.
> 1) Is it possible to use the SSL authentification done by apache with
> PostgreSQL ?

I don't think so. If the PHP script makes an SSL connection to
PostgreSQL and PostgreSQL requests a client certificate, then the
PHP script will need access to a private key to respond correctly.
The HTTP client's private key won't be available to Apache/PHP (at
least not via the HTTP connection) so the script will need to use
a private key of its own. I'm not aware of a way for Apache to
proxy PostgreSQL's SSL negotiation with the PHP script back to the
HTTP client.

> 2) How the DN of the certificate is match against an PostgreSQL role ?

As far as I can tell no such matching is done. I can make SSL
connections to PostgreSQL as any user with the same certificate,
and I don't see anything in the documentation that allows that to
be configured. If I've overlooked something then somebody please
point it out.

--
Michael Fuhr