| From: | pgsql(at)mohawksoft(dot)com |
|---|---|
| To: | "Steve Atkins" <steve(at)blighty(dot)com> |
| Cc: | "PostgreSQL-development list" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: SSL and USER_CERT_FILE |
| Date: | 2008-05-15 13:53:13 |
| Message-ID: | 34938.24.60.196.157.1210859593.squirrel@mail.mohawksoft.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
>
> On May 15, 2008, at 6:31 AM, pgsql(at)mohawksoft(dot)com wrote:
>
>>> Mark Woodward wrote:
>>>> I am using PostgreSQL's SSL support and the conventions for the
>>>> key and
>>>> certifications don't make sense from the client perspective.
>>>> Especially
>>>> under Windows.
>>>>
>>>> I am proposing a few simple changes:
>>>>
>>>> Adding two API
>>>> void PQsetSSLUserCertFileName(char *filename)
>>>> {
>>>> user_crt_filename = strdup(filename);
>>>> }
>>>> PQsetSSLUserKeyFileName(char *filename)
>>>> {
>>>> user_key_filename = strdup(filename);
>>>> }
>>>>
>>>>
>>>>
>>> [snip]
>>>> Any comments?
>>>>
>>>>
>>>
>>>
>>> I think it would probably be much better to allow for some
>>> environment
>>> variables to specify the locations of the client certificate and key
>>> (and the CA cert and CRL) - c.f. PGPASSFILE.
>>>
>>> That way not only could these be set by C programs but by any libpq
>>> user
>>> (I'm sure driver writers who use libpq don't want to have to bother
>>> with
>>> this stuff.) And we wouldn't need to change the API at all.
>>>
>>
>> The problem I have with environment variables is that they tend not
>> to be
>> application specific and almost always lead to configuration issues.
>> As a
>> methodology for default configuration, it adds flexibility. Also, the
>> current configuration does not easily take in to consideration the
>> idea
>> that different databases with different keys can be used from the same
>> system the same user.
>
> Environment variables don't have to be set in your shell.
>
> This would seem to give the same functionality you suggest above,
> given support for environment variables:
>
> void PQsetSSLUserCertFileName(char * filename)
> {
> setenv("PGCERTFILE", filename);
> }
>
> void PQsetSSLUserKeyFileName(char *filename)
> {
> setenv("PGKEYFILE", filename);
> }
>
> Or, in perl, $ENV{PGKEYFILE} = $file and so on. It seems
> less intrusive than adding new API calls.
>
> Cheers,
> Steve
Doesn't it make sense that the connection be configured in one place? I
agree with Tom, if it should be done, it should be done in PQconnectdb.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2008-05-15 13:55:50 | Re: [rfc,patch] PL/Proxy in core |
| Previous Message | Andrew Dunstan | 2008-05-15 13:52:29 | Re: SSL and USER_CERT_FILE |