Re: PQgetssl() and alternative SSL implementations

On 08/19/2014 06:44 PM, Stephen Frost wrote:
>> >Hmm. That seems a bit too much. Perhaps provide just the certificate
>> >itself in DER/PEM format, and have the client parse it (using
>> >OpenSSL or something else) if it wants more details.
> I really don't care for that approach. Our SSL support has always been
> horrible- I was hoping we'd actually improve that situation. Adding
> things in piecemeal over time will just be painful for our users and I
> don't see why we should wait.

What would you like to do with the certificates?

I'm imagining that a GUI tool like pgAdmin might want to extract all
information from the certificate, display it in a window, and let the
user look at the whole chain and all the fields. Like a browser does
when you click the little lock icon in the address bar. That would be a
nice feature, but it's a huge effort to expose *all* certificate
information through attributes, especially if you want to support
multiple SSL libraries. If there was a generic "get attribute X"
interface in OpenSSL and all the other SSL libraries we wish to support,
we could provide a pass-through mechanism for that, so that e.g all
attributes that OpenSSL exposes were mapped to "server_cert_*". But I
don't think that exists in OpenSSL, let alone in other libraries, and
the attribute names would be all different anyway.

So that's not really feasible.

But if we provide an interface to grab the whole certificate chain, then
you can use any library you want to parse and present it to the user.
You could use OpenSSL, but you could also use a more light-weight parser
like libtasn1, or if you're writing a python app for example, whatever
x509 certificate handling library they have. You wouldn't be *verifying*
the certificates - that's handled by libpq (or rather, the SSL library
that libpq uses) - so no cryptography required.

Or you could just pass the whole cert to a 3rd party program
specifically written to display x509 certificates, and let it do the
parsing. I'll mention that the Windows Crypto API has a built-in
function called CryptUIDlgViewCertificate that pops up a dialog for
viewing the certificate. Very handy. I think it's the same dialog that
Internet Explorer uses.

If you want to write such a GUI from scratch, anyway, I think you would
be better off to *not* rely on libpq functions, so that you could use
the same GUI in other contexts too. Like to view an arbitrary
certificate file on the filesystem.

That said, if there's a need to extract some specific fields for some
other purpose than displaying the whole certificate to the user, let's
hear it.

- Heikki