| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Craig Perras <cperras(at)u(dot)washington(dot)edu> |
| Cc: | pgsql-admin(at)postgresql(dot)org |
| Subject: | Re: ssl-info, enforcing list of common-names |
| Date: | 2009-01-08 03:19:38 |
| Message-ID: | 200901080319.n083Jc214094@momjian.us |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
Would someone please reply this question.
---------------------------------------------------------------------------
Craig Perras wrote:
> Hi -
>
> A couple things. I noticed that these two functions return NULL (or empty
> string):
>
> select ssl_issuer_dn();
> select ssl_client_dn();
>
> However, I can get specific fields:
>
> select '/CN=' || ssl_issuer_field('commonName')
> || '/C=' || ssl_issuer_field('countryName')
> || '/O=' || ssl_issuer_field('organizationName')
> ;
>
> --returns "/CN=UW Services CA/C=US/O=University of Washington"
>
> I'm thinking of using an authorization scheme in which I check a list of
> valid certificate common-names, and, if the current client has no cert or
> is not in the list, they have no access (maybe force a logout). Is this
> feasable and/or advisable? I'll only have a single trusted CA.
>
> Any help is appreciated!
>
> thanks,
> --craig
>
> --
> Sent via pgsql-admin mailing list (pgsql-admin(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-admin
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Laszlo Nagy | 2009-01-08 05:50:25 | Re: rebellious pg stats collector (reopened case) |
| Previous Message | c k | 2009-01-07 21:17:15 | Fail of a return query from plpgsql function for a specific table |